Regulation (EU) 2024/1689: Harmonised Rules on Artificial Intelligence

REGULATION (EU) 2024/1689 establishes a harmonized legal framework for artificial intelligence (AI) within the European Union, aiming to enhance the internal market while ensuring health, safety, and fundamental rights protection. The regulation promotes the development and use of trustworthy AI systems, preventing member states from imposing restrictive national rules that could fragment the market. It emphasizes the importance of aligning AI deployment with Union values, including democracy and environmental protection, while supporting innovation and employment. Specific provisions address the processing of personal data and the use of AI in law enforcement contexts.

Extracted 822 entities, 1605 relations and 49 topics on Feb 15, 2026
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689
Text ChunksTopicsEntities

Network

Topics

Article, Directive, Date
Technical documentation, Regulation, Institution
Article, Regulation, Ai system
Regulation, Article, Ai system
Article, Technical documentation, Ai system
Regulation
Market, Ai system
Ai system, Data set
Ai system, Directive, Institution
Personal data, Institution, Computation
Ai system, Regulation, Personal data
Directive, Treaty
Regulation
User, Ai system, Computation
Technical documentation, Article, Parameter
Regulation, Article, Institution
Institution, Regulation, Article
Regulation
Article, Institution, Regulation
Technical documentation
Technical documentation
Directive, Regulation, Article
Institution, Article, Technical documentation
Data set, Parameter
Article, Technical documentation, Institution
Article
Article, Regulation, Directive
Article, Institution
Article, Institution, Technical documentation
Directive
Directive
Directive
Directive
Directive
Article
Regulation, Institution
Ai system, Date, Regulation
Ai system, Date, Regulation
Ai system
Regulation
Personal data
Institution
Directive, Date
Concept
Article, Institution, Regulation
misc
Directive
Ai system
Article

Content

Show original text
REGULATION (EU) 2024/1689 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, dated 13 June 2024, establishes standardized rules for artificial intelligence (AI) and modifies several existing regulations and directives. This is known as the Artificial Intelligence Act. The European Parliament and the Council of the European Union are acting based on the Treaty on the Functioning of the European Union, particularly Articles 16 and 114. This regulation aims to enhance the internal market by creating a consistent legal framework for the development, marketing, and use of AI systems within the EU. It promotes the adoption of human-centered and trustworthy AI while ensuring strong protections for health, safety, and fundamental rights as outlined in the Charter of Fundamental Rights of the European Union, which includes principles like democracy and the rule of law.
REGULATION (EU) 2024/1689 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance) THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION, Having regard to the Treaty on the Functioning of the European Union, and in particular Articles 16 and 114 thereof, Having regard to the proposal from the European Commission, After transmission of the draft legislative act to the national parliaments, Having regard to the opinion of the European Economic and Social Committee (1), Having regard to the opinion of the European Central Bank (2), Having regard to the opinion of the Committee of the Regions (3), Acting in accordance with the ordinary legislative procedure (4), Whereas: (1) The purpose of this Regulation is to improve the functioning of the internal market by laying down a uniform legal framework in particular for the development, the placing on the market, the putting into service and the use of artificial intelligence systems (AI systems) in the Union, in accordance with Union values, to promote the uptake of human centric and trustworthy artificial intelligence (AI) while ensuring a high level of protection of health, safety, fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union (the ‘Charter’), including democracy, the rule of law
Show original text
This regulation aims to ensure that artificial intelligence (AI) is developed and used safely while protecting health, safety, fundamental rights, democracy, the rule of law, and the environment, as outlined in the Charter of Fundamental Rights of the European Union. It also supports innovation. The regulation allows for the free movement of AI-based goods and services across borders, preventing EU member states from imposing restrictions on AI systems unless specifically allowed by this regulation. The regulation should align with the values of the Union as stated in the Charter, promoting the protection of individuals, businesses, democracy, the rule of law, and environmental sustainability, while also encouraging innovation and job creation. This will help the EU become a leader in trustworthy AI. AI systems can be used in many sectors and can easily move across the EU. Some member states have started to create their own rules to ensure AI is safe and respects fundamental rights. However, differing national regulations could disrupt the internal market and create uncertainty for those developing, importing, or using AI systems. Therefore, it is essential to maintain a consistent and high level of protection across the EU to ensure trustworthy AI and prevent obstacles to the free movement, innovation, and deployment of AI systems and related products and services.
artificial intelligence (AI) while ensuring a high level of protection of health, safety, fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union (the ‘Charter’), including democracy, the rule of law and environmental protection, to protect against the harmful effects of AI systems in the Union, and to support innovation. This Regulation ensures the free movement, cross-border, of AI-based goods and services, thus preventing Member States from imposing restrictions on the development, marketing and use of AI systems, unless explicitly authorised by this Regulation. (2) This Regulation should be applied in accordance with the values of the Union enshrined as in the Charter, facilitating the protection of natural persons, undertakings, democracy, the rule of law and environmental protection, while boosting innovation and employment and making the Union a leader in the uptake of trustworthy AI. (3) AI systems can be easily deployed in a large variety of sectors of the economy and many parts of society, including across borders, and can easily circulate throughout the Union. Certain Member States have already explored the adoption of national rules to ensure that AI is trustworthy and safe and is developed and used in accordance with fundamental rights obligations. Diverging national rules may lead to the fragmentation of the internal market and may decrease legal certainty for operators that develop, import or use AI systems. A consistent and high level of protection throughout the Union should therefore be ensured in order to achieve trustworthy AI, while divergences hampering the free circulation, innovation, deployment and the uptake of AI systems and related products and services within the internal market should be prevented by laying down uniform obligations for operators and Official Journal of the European Union EN L series 2024/1689 12.7.
Show original text
To ensure the safe use of AI systems and related products in the internal market, uniform obligations for operators must be established. This is necessary to protect public interests and individual rights across the internal market, as outlined in Article 114 of the Treaty on the Functioning of the European Union (TFEU). The regulation includes specific rules regarding the protection of personal data, particularly concerning the use of AI for remote biometric identification, risk assessments, and biometric categorization in law enforcement. These specific rules are based on Article 16 TFEU, and it is important to consult the European Data Protection Board regarding these matters.
the uptake of AI systems and related products and services within the internal market should be prevented by laying down uniform obligations for operators and Official Journal of the European Union EN L series 2024/1689 12.7.2024 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 1/144 (1) OJ C 517, 22.12.2021, p. 56. (2) OJ C 115, 11.3.2022, p. 5. (3) OJ C 97, 28.2.2022, p. 60. (4) Position of the European Parliament of 13 March 2024 (not yet published in the Official Journal) and decision of the Council of 21 May 2024. guaranteeing the uniform protection of overriding reasons of public interest and of rights of persons throughout the internal market on the basis of Article 114 of the Treaty on the Functioning of the European Union (TFEU). To the extent that this Regulation contains specific rules on the protection of individuals with regard to the processing of personal data concerning restrictions of the use of AI systems for remote biometric identification for the purpose of law enforcement, of the use of AI systems for risk assessments of natural persons for the purpose of law enforcement and of the use of AI systems of biometric categorisation for the purpose of law enforcement, it is appropriate to base this Regulation, in so far as those specific rules are concerned, on Article 16 TFEU. In light of those specific rules and the recourse to Article 16 TFEU, it is appropriate to consult the European Data Protection Board.
Show original text
Regulation related to specific rules under Article 16 TFEU requires consultation with the European Data Protection Board. AI is a rapidly developing technology that offers numerous economic, environmental, and social benefits across various industries. It enhances predictions, optimizes operations, and personalizes digital solutions, providing competitive advantages and supporting positive outcomes in areas like healthcare, agriculture, education, media, energy, and environmental conservation. However, depending on how it is used and its level of development, AI can also pose risks and harm public interests and fundamental rights protected by EU law, which may include physical, psychological, social, or economic harm. Given AI's significant societal impact, it is essential that its development aligns with EU values, fundamental rights, and the Charter, as stated in Article 2 and Article 6 of the Treaty on European Union. AI should prioritize human needs and aim to enhance human well-being.
Regulation, in so far as those specific rules are concerned, on Article 16 TFEU. In light of those specific rules and the recourse to Article 16 TFEU, it is appropriate to consult the European Data Protection Board. (4) AI is a fast evolving family of technologies that contributes to a wide array of economic, environmental and societal benefits across the entire spectrum of industries and social activities. By improving prediction, optimising operations and resource allocation, and personalising digital solutions available for individuals and organisations, the use of AI can provide key competitive advantages to undertakings and support socially and environmentally beneficial outcomes, for example in healthcare, agriculture, food safety, education and training, media, sports, culture, infrastructure management, energy, transport and logistics, public services, security, justice, resource and energy efficiency, environmental monitoring, the conservation and restoration of biodiversity and ecosystems and climate change mitigation and adaptation. (5) At the same time, depending on the circumstances regarding its specific application, use, and level of technological development, AI may generate risks and cause harm to public interests and fundamental rights that are protected by Union law. Such harm might be material or immaterial, including physical, psychological, societal or economic harm. (6) Given the major impact that AI can have on society and the need to build trust, it is vital for AI and its regulatory framework to be developed in accordance with Union values as enshrined in Article 2 of the Treaty on European Union (TEU), the fundamental rights and freedoms enshrined in the Treaties and, pursuant to Article 6 TEU, the Charter. As a prerequisite, AI should be a human-centric technology. It should serve as a tool for people, with the ultimate aim of increasing human well-being.
Show original text
According to the Treaties and Article 6 of the Treaty on European Union (TEU), AI should prioritize human needs and aim to enhance people's well-being. To protect public interests related to health, safety, and fundamental rights, we need to establish common rules for high-risk AI systems. These rules must align with the Charter, be non-discriminatory, and comply with the EU's international trade obligations. They should also consider the European Declaration on Digital Rights and Principles for the Digital Decade, as well as the Ethics guidelines for trustworthy AI from the High-Level Expert Group on Artificial Intelligence (AI HLEG). To support the development and use of AI in the internal market while ensuring high protection for public interests like health, safety, and fundamental rights—including democracy, the rule of law, and environmental protection—there needs to be a unified legal framework for AI. This framework should regulate the market entry, operation, and use of certain AI systems, ensuring the internal market functions smoothly and that these systems can benefit from the free movement of goods and services. The rules must be clear and strong in protecting fundamental rights, encourage innovative solutions, and foster a European ecosystem of public and private entities creating AI systems that align with EU values, thereby maximizing the potential of digital transformation across all EU regions.
the Treaties and, pursuant to Article 6 TEU, the Charter. As a prerequisite, AI should be a human-centric technology. It should serve as a tool for people, with the ultimate aim of increasing human well-being. (7) In order to ensure a consistent and high level of protection of public interests as regards health, safety and fundamental rights, common rules for high-risk AI systems should be established. Those rules should be consistent with the Charter, non-discriminatory and in line with the Union’s international trade commitments. They should also take into account the European Declaration on Digital Rights and Principles for the Digital Decade and the Ethics guidelines for trustworthy AI of the High-Level Expert Group on Artificial Intelligence (AI HLEG). (8) A Union legal framework laying down harmonised rules on AI is therefore needed to foster the development, use and uptake of AI in the internal market that at the same time meets a high level of protection of public interests, such as health and safety and the protection of fundamental rights, including democracy, the rule of law and environmental protection as recognised and protected by Union law. To achieve that objective, rules regulating the placing on the market, the putting into service and the use of certain AI systems should be laid down, thus ensuring the smooth functioning of the internal market and allowing those systems to benefit from the principle of free movement of goods and services. Those rules should be clear and robust in protecting fundamental rights, supportive of new innovative solutions, enabling a European ecosystem of public and private actors creating AI systems in line with Union values and unlocking the potential of the digital transformation across all regions of the Union.
Show original text
The regulation aims to protect fundamental rights while encouraging innovative solutions. It seeks to create a European environment where both public and private organizations can develop AI systems that align with European values. This will help unlock the benefits of digital transformation across all regions of the EU. The regulation establishes rules and support measures, particularly for small and medium enterprises (SMEs) and startups, to promote a human-centered approach to AI. It also aims to position Europe as a global leader in developing secure, trustworthy, and ethical AI, as emphasized by the European Council, and ensures the protection of ethical principles as requested by the European Parliament. Additionally, consistent rules for the marketing, deployment, and use of high-risk AI systems will be established in line with existing EU regulations.
clear and robust in protecting fundamental rights, supportive of new innovative solutions, enabling a European ecosystem of public and private actors creating AI systems in line with Union values and unlocking the potential of the digital transformation across all regions of the Union. By laying down those rules as well as measures in support of innovation with a particular focus on small and medium enterprises (SMEs), including startups, this Regulation supports the objective of promoting the European human-centric approach to AI and being a global leader in the development of secure, trustworthy and ethical AI as stated by the European Council (5), and it ensures the protection of ethical principles, as specifically requested by the European Parliament (6). EN OJ L, 12.7.2024 2/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (5) European Council, Special meeting of the European Council (1 and 2 October 2020) — Conclusions, EUCO 13/20, 2020, p. 6. (6) European Parliament resolution of 20 October 2020 with recommendations to the Commission on a framework of ethical aspects of artificial intelligence, robotics and related technologies, 2020/2012(INL). (9) Harmonised rules applicable to the placing on the market, the putting into service and the use of high-risk AI systems should be laid down consistently with Regulation (EC) No 765/2008 of the European Parliament and of the Council (7), Decision No 768/2008/EC of the European Parliament and of the Council (8) and Regulation (EU) 2019/1020 of the European Parliament and of the Council (9) (New Legislative Framework).
Show original text
The harmonized rules in Regulation (EU) 2019/1020, established by the European Parliament and Council, apply to various sectors and complement existing EU laws on data protection, consumer rights, fundamental rights, employment, worker protection, and product safety. This means that all rights and remedies provided by these laws for consumers and others affected by AI systems remain intact and fully applicable. Additionally, this regulation does not change EU social policy or national labor laws regarding employment conditions, health and safety, or employer-employee relationships. It also respects fundamental rights recognized at both the national and EU levels, including the right to strike, negotiate, and enforce collective agreements according to national laws. Furthermore, it does not interfere with laws aimed at improving working conditions in platform work. The regulation seeks to enhance the effectiveness of existing rights by setting specific requirements for transparency, technical documentation, and record-keeping for AI systems.
(7), Decision No 768/2008/EC of the European Parliament and of the Council (8) and Regulation (EU) 2019/1020 of the European Parliament and of the Council (9) (New Legislative Framework). The harmonised rules laid down in this Regulation should apply across sectors and, in line with the New Legislative Framework, should be without prejudice to existing Union law, in particular on data protection, consumer protection, fundamental rights, employment, and protection of workers, and product safety, to which this Regulation is complementary. As a consequence, all rights and remedies provided for by such Union law to consumers, and other persons on whom AI systems may have a negative impact, including as regards the compensation of possible damages pursuant to Council Directive 85/374/EEC (10) remain unaffected and fully applicable. Furthermore, in the context of employment and protection of workers, this Regulation should therefore not affect Union law on social policy and national labour law, in compliance with Union law, concerning employment and working conditions, including health and safety at work and the relationship between employers and workers. This Regulation should also not affect the exercise of fundamental rights as recognised in the Member States and at Union level, including the right or freedom to strike or to take other action covered by the specific industrial relations systems in Member States as well as the right to negotiate, to conclude and enforce collective agreements or to take collective action in accordance with national law. This Regulation should not affect the provisions aiming to improve working conditions in platform work laid down in a Directive of the European Parliament and of the Council on improving working conditions in platform work. Moreover, this Regulation aims to strengthen the effectiveness of such existing rights and remedies by establishing specific requirements and obligations, including in respect of the transparency, technical documentation and record-keeping of AI systems.
Show original text
This Regulation aims to improve working conditions for platform workers and enhance existing rights and remedies. It sets specific requirements for transparency, technical documentation, and record-keeping of AI systems. The obligations for various operators in the AI value chain will respect national laws while complying with Union law. This means that certain AI systems may be limited if they conflict with national laws or pursue different public interest goals. For instance, national labor laws and laws protecting minors, as outlined in the UNCRC General Comment No 25 (2021), will not be affected by this Regulation if they are not specific to AI systems. Additionally, the fundamental right to personal data protection is ensured by Regulations (EU) 2016/679 and (EU) 2018/1725, as well as Directive (EU) 2016/680. Directive 2002/58/EC also protects privacy and communication confidentiality, setting conditions for storing and accessing personal and non-personal data. These legal acts support responsible data processing, even when data sets include both types of data.
on improving working conditions in platform work. Moreover, this Regulation aims to strengthen the effectiveness of such existing rights and remedies by establishing specific requirements and obligations, including in respect of the transparency, technical documentation and record-keeping of AI systems. Furthermore, the obligations placed on various operators involved in the AI value chain under this Regulation should apply without prejudice to national law, in compliance with Union law, having the effect of limiting the use of certain AI systems where such law falls outside the scope of this Regulation or pursues legitimate public interest objectives other than those pursued by this Regulation. For example, national labour law and law on the protection of minors, namely persons below the age of 18, taking into account the UNCRC General Comment No 25 (2021) on children’s rights in relation to the digital environment, insofar as they are not specific to AI systems and pursue other legitimate public interest objectives, should not be affected by this Regulation. (10) The fundamental right to the protection of personal data is safeguarded in particular by Regulations (EU) 2016/679 (11) and (EU) 2018/1725 (12) of the European Parliament and of the Council and Directive (EU) 2016/680 of the European Parliament and of the Council (13). Directive 2002/58/EC of the European Parliament and of the Council (14) additionally protects private life and the confidentiality of communications, including by way of providing conditions for any storing of personal and non-personal data in, and access from, terminal equipment. Those Union legal acts provide the basis for sustainable and responsible data processing, including where data sets include a mix of personal and non-personal data.
Show original text
This regulation covers the storage and access of both personal and non-personal data on devices. It establishes guidelines for responsible data processing, even when data sets contain a mix of both types of data. The regulation does not change existing EU laws on personal data processing or the roles of independent supervisory authorities that ensure compliance with these laws. It also does not alter the responsibilities of AI system providers and users regarding personal data protection under EU or national laws when they design, develop, or use AI systems that process personal data. Additionally, individuals whose data is being processed continue to have all their rights protected.
for any storing of personal and non-personal data in, and access from, terminal equipment. Those Union legal acts provide the basis for sustainable and responsible data processing, including where data sets include a mix of personal and non-personal data. This Regulation does not seek to affect the application of existing Union law governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments. It also does not affect the obligations of providers and deployers of AI systems in their role as data controllers or processors stemming from Union or national law on the protection of personal data in so far as the design, the development or the use of AI systems involves the processing of personal data. It is also appropriate to clarify that data subjects continue to enjoy all the OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 3/144 (7) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30). (8) Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82).
Show original text
On July 9, 2008, a regulation was established to create a common framework for marketing products, replacing Council Decision 93/465/EEC (Official Journal L 218, August 13, 2008, page 82). On June 20, 2019, Regulation (EU) 2019/1020 was enacted by the European Parliament and Council to enhance market surveillance and ensure product compliance, amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (Official Journal L 169, June 25, 2019, page 1). Additionally, Council Directive 85/374/EEC, adopted on July 25, 1985, aimed to harmonize laws across Member States regarding liability for defective products (Official Journal L 210, August 7, 1985, page 29). The General Data Protection Regulation (Regulation (EU) 2016/679), which protects individuals' personal data and allows for its free movement, was passed on April 27, 2016, replacing Directive 95/46/EC (Official Journal L 119, May 4, 2016, page 1). Lastly, Regulation (EU) 2018/1725, adopted on October 23, 2018, focuses on the protection of personal data processed by EU institutions and repeals Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Official Journal L 295, November 21, 2018, page 39).
of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (OJ L 218, 13.8.2008, p. 82). (9) Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (OJ L 169, 25.6.2019, p. 1). (10) Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products (OJ L 210, 7.8.1985, p. 29). (11) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). (12) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Show original text
This text discusses various regulations related to the protection of personal data in the European Union. It mentions the repeal of Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, as well as Directive (EU) 2016/680, which focuses on protecting individuals' personal data during criminal investigations and prosecutions, replacing Council Framework Decision 2008/977/JHA. Additionally, it references Directive 2002/58/EC, which addresses privacy in electronic communications. The regulations aim to ensure that individuals have rights and protections regarding automated decision-making and profiling. The new rules for AI systems are designed to support the enforcement of these rights and other legal protections for personal data. Lastly, it clarifies that these regulations do not affect the liability of intermediary service providers as outlined in Regulation (EU) 2022/2065.
movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). (13) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89). (14) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37). rights and guarantees awarded to them by such Union law, including the rights related to solely automated individual decision-making, including profiling. Harmonised rules for the placing on the market, the putting into service and the use of AI systems established under this Regulation should facilitate the effective implementation and enable the exercise of the data subjects’ rights and other remedies guaranteed under Union law on the protection of personal data and of other fundamental rights. (11) This Regulation should be without prejudice to the provisions regarding the liability of providers of intermediary services as set out in Regulation (EU) 2022/2065 of the European Parliament and of the Council (15).
Show original text
This Regulation does not affect the rules about the responsibility of intermediary service providers as stated in Regulation (EU) 2022/2065 by the European Parliament and Council. The term 'AI system' in this Regulation needs a clear definition that aligns with international organizations working on AI. This will help ensure legal clarity, promote global agreement, and allow for quick adaptation to new technology. The definition should highlight the unique features of AI systems that set them apart from simpler software and should not include systems that only follow rules set by humans to perform tasks automatically. A key feature of AI systems is their ability to infer, which means they can generate outputs like predictions, recommendations, or decisions that can affect both physical and digital environments. AI systems can create models or algorithms from data inputs. Techniques that enable this inference include machine learning, which learns from data to meet specific goals, and logic-based methods that use encoded knowledge to solve tasks. The ability to infer goes beyond basic data processing, allowing for learning, reasoning, and modeling. The term 'machine-based' indicates that AI systems operate on machines. The mention of explicit or implicit objectives means that AI systems can work towards clearly defined goals or more vague, underlying goals, which may differ from their intended purpose in a given situation.
other fundamental rights. (11) This Regulation should be without prejudice to the provisions regarding the liability of providers of intermediary services as set out in Regulation (EU) 2022/2065 of the European Parliament and of the Council (15). (12) The notion of ‘AI system’ in this Regulation should be clearly defined and should be closely aligned with the work of international organisations working on AI to ensure legal certainty, facilitate international convergence and wide acceptance, while providing the flexibility to accommodate the rapid technological developments in this field. Moreover, the definition should be based on key characteristics of AI systems that distinguish it from simpler traditional software systems or programming approaches and should not cover systems that are based on the rules defined solely by natural persons to automatically execute operations. A key characteristic of AI systems is their capability to infer. This capability to infer refers to the process of obtaining the outputs, such as predictions, content, recommendations, or decisions, which can influence physical and virtual environments, and to a capability of AI systems to derive models or algorithms, or both, from inputs or data. The techniques that enable inference while building an AI system include machine learning approaches that learn from data how to achieve certain objectives, and logic- and knowledge-based approaches that infer from encoded knowledge or symbolic representation of the task to be solved. The capacity of an AI system to infer transcends basic data processing by enabling learning, reasoning or modelling. The term ‘machine-based’ refers to the fact that AI systems run on machines. The reference to explicit or implicit objectives underscores that AI systems can operate according to explicit defined objectives or to implicit objectives. The objectives of the AI system may be different from the intended purpose of the AI system in a specific context.
Show original text
AI systems can operate based on clear (explicit) goals or implied (implicit) goals. Sometimes, the goals of an AI system may differ from its intended use in a specific situation. In this regulation, 'environments' refer to the contexts where AI systems function, while 'outputs' are the results produced by these systems, such as predictions, content, recommendations, or decisions. AI systems can work with different levels of independence from human control and can adapt and learn after being deployed. They can be used on their own or as part of a product, whether they are built into the product (embedded) or function separately (non-embedded). The term 'deployer' in this regulation refers to any individual or organization, including public authorities, that uses an AI system under their control, except when the system is used for personal, non-professional purposes. Depending on the type of AI system, its use may impact people other than the deployer. The term 'biometric data' in this regulation is defined according to specific articles in EU regulations concerning data protection.
machines. The reference to explicit or implicit objectives underscores that AI systems can operate according to explicit defined objectives or to implicit objectives. The objectives of the AI system may be different from the intended purpose of the AI system in a specific context. For the purposes of this Regulation, environments should be understood to be the contexts in which the AI systems operate, whereas outputs generated by the AI system reflect different functions performed by AI systems and include predictions, content, recommendations or decisions. AI systems are designed to operate with varying levels of autonomy, meaning that they have some degree of independence of actions from human involvement and of capabilities to operate without human intervention. The adaptiveness that an AI system could exhibit after deployment, refers to self-learning capabilities, allowing the system to change while in use. AI systems can be used on a stand-alone basis or as a component of a product, irrespective of whether the system is physically integrated into the product (embedded) or serves the functionality of the product without being integrated therein (non-embedded). (13) The notion of ‘deployer’ referred to in this Regulation should be interpreted as any natural or legal person, including a public authority, agency or other body, using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity. Depending on the type of AI system, the use of the system may affect persons other than the deployer. (14) The notion of ‘biometric data’ used in this Regulation should be interpreted in light of the notion of biometric data as defined in Article 4, point (14) of Regulation (EU) 2016/679, Article 3, point (18) of Regulation (EU) 2018/1725 and Article 3, point (13) of Directive (EU) 2016/680.
Show original text
Regulation (EU) 2016/679, Article 3, point (18) of Regulation (EU) 2018/1725, and Article 3, point (13) of Directive (EU) 2016/680 define biometric data as information that can be used to identify, authenticate, or categorize individuals, as well as recognize their emotions. 'Biometric identification' is described as the automated process of recognizing human physical, physiological, and behavioral traits, such as facial features, eye movement, body shape, voice, walking style, posture, heart rate, blood pressure, scent, and typing patterns. This process is used to establish a person's identity by comparing their biometric data to data stored in a reference database, regardless of whether the person has given consent. However, this does not include AI systems used solely for biometric verification, which is meant to confirm that a person is who they claim to be for accessing services, unlocking devices, or gaining security access to locations. Additionally, Regulation (EU) 2022/2065, passed on October 19, 2022, addresses the Single Market for Digital Services and amends Directive 2000/31/EC (Digital Services Act).
Regulation (EU) 2016/679, Article 3, point (18) of Regulation (EU) 2018/1725 and Article 3, point (13) of Directive (EU) 2016/680. Biometric data can allow for the authentication, identification or categorisation of natural persons and for the recognition of emotions of natural persons. (15) The notion of ‘biometric identification’ referred to in this Regulation should be defined as the automated recognition of physical, physiological and behavioural human features such as the face, eye movement, body shape, voice, prosody, gait, posture, heart rate, blood pressure, odour, keystrokes characteristics, for the purpose of establishing an individual’s identity by comparing biometric data of that individual to stored biometric data of individuals in a reference database, irrespective of whether the individual has given its consent or not. This excludes AI systems intended to be used for biometric verification, which includes authentication, whose sole purpose is to confirm that a specific natural person is the person he or she claims to be and to confirm the identity of a natural person for the sole purpose of having access to a service, unlocking a device or having security access to premises. EN OJ L, 12.7.2024 4/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (15) Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, p. 1).
Show original text
On October 19, 2022, the Digital Services Act was established, amending Directive 2000/31/EC (published in OJ L 277 on October 27, 2022, page 1). The term 'biometric categorisation' in this regulation refers to the process of classifying individuals based on their biometric data. This classification can include factors like sex, age, hair color, eye color, tattoos, behavioral traits, personality traits, language, religion, membership in a national minority, and sexual or political orientation. However, this does not apply to biometric categorisation systems that are merely additional features tied to another main service. These features cannot be used independently for technical reasons, and their inclusion should not be a way to avoid the rules of this regulation. For instance, filters that categorize facial or body features on online marketplaces are considered ancillary features because they can only be used in connection with the main service of selling products, helping consumers preview items on themselves to aid in their purchasing decisions. Similarly, filters on social networking sites that categorize facial or body features for modifying pictures or videos are also ancillary, as they cannot function without the primary service of sharing content online.
19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, p. 1). (16) The notion of ‘biometric categorisation’ referred to in this Regulation should be defined as assigning natural persons to specific categories on the basis of their biometric data. Such specific categories can relate to aspects such as sex, age, hair colour, eye colour, tattoos, behavioural or personality traits, language, religion, membership of a national minority, sexual or political orientation. This does not include biometric categorisation systems that are a purely ancillary feature intrinsically linked to another commercial service, meaning that the feature cannot, for objective technical reasons, be used without the principal service, and the integration of that feature or functionality is not a means to circumvent the applicability of the rules of this Regulation. For example, filters categorising facial or body features used on online marketplaces could constitute such an ancillary feature as they can be used only in relation to the principal service which consists in selling a product by allowing the consumer to preview the display of the product on him or herself and help the consumer to make a purchase decision. Filters used on online social network services which categorise facial or body features to allow users to add or modify pictures or videos could also be considered to be ancillary feature as such filter cannot be used without the principal service of the social network services consisting in the sharing of content online.
Show original text
Features that use facial or body characteristics to let users edit pictures or videos are considered secondary because they rely on the main function of social networks, which is sharing content online. The term 'remote biometric identification system' in this Regulation refers to an AI system designed to identify people without their active participation, usually from a distance. This is done by comparing a person's biometric data, like fingerprints or facial recognition, with data stored in a reference database, regardless of the technology or type of biometric data used. These systems can observe multiple people or their behaviors at once, making it easier to identify individuals without their involvement. This definition excludes AI systems used for biometric verification, which only confirm a person's identity for access to services, unlocking devices, or security purposes. This exclusion is important because verification systems typically have a smaller impact on individuals' rights compared to remote identification systems that can process data from many people without their consent. In 'real-time' systems, biometric data is captured, compared, and identified almost instantly, without significant delays. Therefore, the rules in this Regulation regarding the real-time use of these AI systems must be strictly followed, and there should be no loopholes that allow for minor delays.
ise facial or body features to allow users to add or modify pictures or videos could also be considered to be ancillary feature as such filter cannot be used without the principal service of the social network services consisting in the sharing of content online. (17) The notion of ‘remote biometric identification system’ referred to in this Regulation should be defined functionally, as an AI system intended for the identification of natural persons without their active involvement, typically at a distance, through the comparison of a person’s biometric data with the biometric data contained in a reference database, irrespectively of the particular technology, processes or types of biometric data used. Such remote biometric identification systems are typically used to perceive multiple persons or their behaviour simultaneously in order to facilitate significantly the identification of natural persons without their active involvement. This excludes AI systems intended to be used for biometric verification, which includes authentication, the sole purpose of which is to confirm that a specific natural person is the person he or she claims to be and to confirm the identity of a natural person for the sole purpose of having access to a service, unlocking a device or having security access to premises. That exclusion is justified by the fact that such systems are likely to have a minor impact on fundamental rights of natural persons compared to the remote biometric identification systems which may be used for the processing of the biometric data of a large number of persons without their active involvement. In the case of ‘real-time’ systems, the capturing of the biometric data, the comparison and the identification occur all instantaneously, near-instantaneously or in any event without a significant delay. In this regard, there should be no scope for circumventing the rules of this Regulation on the ‘real-time’ use of the AI systems concerned by providing for minor delays.
Show original text
AI systems must operate in real-time, meaning they should provide immediate results without significant delays. There should be no loopholes that allow for minor delays to bypass these rules. Real-time systems use live or nearly live data, like video from cameras. In contrast, post systems analyze biometric data that has already been collected, with identification happening only after a considerable delay. This includes footage from CCTV or other devices that was recorded before the system is used on individuals. The term 'emotion recognition system' in this regulation refers to AI systems that identify or infer the emotions or intentions of individuals based on their biometric data. This includes emotions like happiness, sadness, anger, surprise, disgust, embarrassment, excitement, shame, contempt, satisfaction, and amusement. It does not cover physical states like pain or fatigue, such as systems that detect fatigue in pilots or drivers to prevent accidents. Additionally, it does not include simply recognizing obvious expressions, gestures, or movements unless they are specifically used to identify or infer emotions. Examples of these expressions include basic facial expressions like frowning or smiling, hand or arm movements, and vocal characteristics like a raised voice or whispering.
near-instantaneously or in any event without a significant delay. In this regard, there should be no scope for circumventing the rules of this Regulation on the ‘real-time’ use of the AI systems concerned by providing for minor delays. ‘Real-time’ systems involve the use of ‘live’ or ‘near-live’ material, such as video footage, generated by a camera or other device with similar functionality. In the case of ‘post’ systems, in contrast, the biometric data has already been captured and the comparison and identification occur only after a significant delay. This involves material, such as pictures or video footage generated by closed circuit television cameras or private devices, which has been generated before the use of the system in respect of the natural persons concerned. (18) The notion of ‘emotion recognition system’ referred to in this Regulation should be defined as an AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data. The notion refers to emotions or intentions such as happiness, sadness, anger, surprise, disgust, embarrassment, excitement, shame, contempt, satisfaction and amusement. It does not include physical states, such as pain or fatigue, including, for example, systems used in detecting the state of fatigue of professional pilots or drivers for the purpose of preventing accidents. This does also not include the mere detection of readily apparent expressions, gestures or movements, unless they are used for identifying or inferring emotions. Those expressions can be basic facial expressions, such as a frown or a smile, or gestures such as the movement of hands, arms or head, or characteristics of a person’s voice, such as a raised voice or whispering.
Show original text
Expressions can include basic facial expressions like frowning or smiling, gestures such as moving hands, arms, or head, and vocal characteristics like speaking loudly or whispering. In this regulation, 'publicly accessible space' means any physical area that anyone can enter, regardless of whether it is privately or publicly owned. This includes places used for various activities, such as: - Commerce: shops, restaurants, cafés - Services: banks, professional offices, hospitality - Sports: swimming pools, gyms, stadiums - Transport: bus, metro, and railway stations, airports - Entertainment: cinemas, theatres, museums, concert halls, conference halls - Leisure: public roads, squares, parks, forests, playgrounds. A space is also considered publicly accessible if it has certain conditions for entry that can be met by many people, such as buying a ticket, registering in advance, or meeting an age requirement. However, a space is not publicly accessible if entry is restricted to specific individuals due to laws related to public safety or security, or if the owner clearly indicates that access is limited.
expressions can be basic facial expressions, such as a frown or a smile, or gestures such as the movement of hands, arms or head, or characteristics of a person’s voice, such as a raised voice or whispering. (19) For the purposes of this Regulation the notion of ‘publicly accessible space’ should be understood as referring to any physical space that is accessible to an undetermined number of natural persons, and irrespective of whether the space in question is privately or publicly owned, irrespective of the activity for which the space may be used, such as for commerce, for example, shops, restaurants, cafés; for services, for example, banks, professional activities, hospitality; for sport, for example, swimming pools, gyms, stadiums; for transport, for example, bus, metro and railway stations, airports, means of transport; for entertainment, for example, cinemas, theatres, museums, concert and conference halls; or for leisure or otherwise, for example, public roads and squares, parks, forests, playgrounds. A space should also be classified as being publicly accessible if, regardless of potential capacity or security restrictions, access is subject to certain predetermined conditions which can be fulfilled by an undetermined number of persons, such as the purchase of a ticket or title of transport, prior registration or having a certain age. In contrast, a space should not be considered to be publicly accessible if access is limited to specific and defined natural persons through either Union or national law directly related to public safety or security or through the clear manifestation OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 5/144 of will by the person having the relevant authority over the space.
Show original text
On July 12, 2024, the European Union published regulations regarding public accessibility of spaces. Access to a space is determined by the authority in charge. Just because a door is unlocked or a gate is open does not mean the space is publicly accessible, especially if there are signs indicating restrictions. Areas like company premises, factories, and offices meant only for employees and service providers are not considered publicly accessible. Additionally, prisons and border control areas are excluded from public access. Some locations, like hallways in private buildings that lead to offices or airports, may have both public and restricted areas. Online spaces are not included in this definition, as they are not physical locations. Each space's accessibility should be evaluated individually based on its specific circumstances. To maximize the benefits of AI systems while safeguarding fundamental rights and ensuring democratic oversight, it is essential for providers, users, and those affected to have a good understanding of AI. This includes knowledge about the development and application of AI technology, how to interpret its results, and how AI-driven decisions may affect individuals.
L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 5/144 of will by the person having the relevant authority over the space. The factual possibility of access alone, such as an unlocked door or an open gate in a fence, does not imply that the space is publicly accessible in the presence of indications or circumstances suggesting the contrary, such as. signs prohibiting or restricting access. Company and factory premises, as well as offices and workplaces that are intended to be accessed only by relevant employees and service providers, are spaces that are not publicly accessible. Publicly accessible spaces should not include prisons or border control. Some other spaces may comprise both publicly accessible and non-publicly accessible spaces, such as the hallway of a private residential building necessary to access a doctor’s office or an airport. Online spaces are not covered, as they are not physical spaces. Whether a given space is accessible to the public should however be determined on a case-by-case basis, having regard to the specificities of the individual situation at hand. (20) In order to obtain the greatest benefits from AI systems while protecting fundamental rights, health and safety and to enable democratic control, AI literacy should equip providers, deployers and affected persons with the necessary notions to make informed decisions regarding AI systems. Those notions may vary with regard to the relevant context and can include understanding the correct application of technical elements during the AI system’s development phase, the measures to be applied during its use, the suitable ways in which to interpret the AI system’s output, and, in the case of affected persons, the knowledge necessary to understand how decisions taken with the assistance of AI will have an impact on them.
Show original text
The AI system's output must be interpreted correctly, and affected individuals need to understand how AI-assisted decisions will impact them. This Regulation aims to ensure that everyone involved in the AI value chain has the knowledge necessary for compliance and enforcement. Promoting AI literacy can improve working conditions and support the development of trustworthy AI in the European Union. The European Artificial Intelligence Board will assist the Commission in promoting AI literacy tools and raising public awareness about the benefits, risks, and rights related to AI systems. The Commission and Member States will work with stakeholders to create voluntary codes of conduct to enhance AI literacy for those involved in developing, operating, and using AI. To protect individual rights across the Union, the rules in this Regulation will apply equally to AI system providers, regardless of whether they are based in the Union or abroad, as well as to users of AI systems within the Union. Additionally, some AI systems will be covered by this Regulation even if they are not marketed or used in the Union, especially when a Union-based operator contracts services from a third-country operator for high-risk AI activities.
applied during its use, the suitable ways in which to interpret the AI system’s output, and, in the case of affected persons, the knowledge necessary to understand how decisions taken with the assistance of AI will have an impact on them. In the context of the application this Regulation, AI literacy should provide all relevant actors in the AI value chain with the insights required to ensure the appropriate compliance and its correct enforcement. Furthermore, the wide implementation of AI literacy measures and the introduction of appropriate follow-up actions could contribute to improving working conditions and ultimately sustain the consolidation, and innovation path of trustworthy AI in the Union. The European Artificial Intelligence Board (the ‘Board’) should support the Commission, to promote AI literacy tools, public awareness and understanding of the benefits, risks, safeguards, rights and obligations in relation to the use of AI systems. In cooperation with the relevant stakeholders, the Commission and the Member States should facilitate the drawing up of voluntary codes of conduct to advance AI literacy among persons dealing with the development, operation and use of AI. (21) In order to ensure a level playing field and an effective protection of rights and freedoms of individuals across the Union, the rules established by this Regulation should apply to providers of AI systems in a non-discriminatory manner, irrespective of whether they are established within the Union or in a third country, and to deployers of AI systems established within the Union. (22) In light of their digital nature, certain AI systems should fall within the scope of this Regulation even when they are not placed on the market, put into service, or used in the Union. This is the case, for example, where an operator established in the Union contracts certain services to an operator established in a third country in relation to an activity to be performed by an AI system that would qualify as high-risk.
Show original text
This regulation applies when a company in the European Union hires a company in a non-EU country to provide services related to a high-risk AI system. In this case, the AI system in the non-EU country can legally process data collected from the EU and send the results back to the EU company without being sold or used in the EU. To prevent bypassing this regulation and to protect individuals in the EU, the regulation also applies to AI system providers and users in non-EU countries if their outputs are meant for use in the EU. However, this regulation does not apply to public authorities or international organizations from non-EU countries when they are cooperating under international agreements for law enforcement and judicial matters with the EU or its member states, as long as they ensure adequate protection of individual rights. This includes activities by entities designated by non-EU countries to assist in such cooperation. These cooperation frameworks or agreements can be established between EU member states and non-EU countries or between the EU, Europol, and other EU agencies and non-EU countries and organizations.
Union. This is the case, for example, where an operator established in the Union contracts certain services to an operator established in a third country in relation to an activity to be performed by an AI system that would qualify as high-risk. In those circumstances, the AI system used in a third country by the operator could process data lawfully collected in and transferred from the Union, and provide to the contracting operator in the Union the output of that AI system resulting from that processing, without that AI system being placed on the market, put into service or used in the Union. To prevent the circumvention of this Regulation and to ensure an effective protection of natural persons located in the Union, this Regulation should also apply to providers and deployers of AI systems that are established in a third country, to the extent the output produced by those systems is intended to be used in the Union. Nonetheless, to take into account existing arrangements and special needs for future cooperation with foreign partners with whom information and evidence is exchanged, this Regulation should not apply to public authorities of a third country and international organisations when acting in the framework of cooperation or international agreements concluded at Union or national level for law enforcement and judicial cooperation with the Union or the Member States, provided that the relevant third country or international organisation provides adequate safeguards with respect to the protection of fundamental rights and freedoms of individuals. Where relevant, this may cover activities of entities entrusted by the third countries to carry out specific tasks in support of such law enforcement and judicial cooperation. Such framework for cooperation or agreements have been established bilaterally between Member States and third countries or between the European Union, Europol and other Union agencies and third countries and international organisations.
Show original text
This regulation supports cooperation between law enforcement and judicial authorities. Agreements for this cooperation have been made between EU Member States, third countries, Europol, and other EU agencies. The authorities responsible for overseeing law enforcement and judicial bodies must check that these cooperation frameworks and international agreements protect individuals' fundamental rights and freedoms. National authorities and EU institutions using these agreements must ensure their actions comply with EU law. When revising or creating new international agreements, parties should strive to align them with this regulation's requirements. Additionally, this regulation applies to EU institutions, bodies, offices, and agencies when they provide or deploy AI systems. However, AI systems used for military, defense, or national security purposes are excluded from this regulation, regardless of whether they are operated by public or private entities.
support of such law enforcement and judicial cooperation. Such framework for cooperation or agreements have been established bilaterally between Member States and third countries or between the European Union, Europol and other Union agencies and third countries and international organisations. The authorities competent for supervision of the law enforcement and judicial authorities under this Regulation should assess whether those frameworks for cooperation or international agreements include adequate safeguards with respect to the protection of fundamental rights and freedoms of individuals. Recipient national EN OJ L, 12.7.2024 6/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj authorities and Union institutions, bodies, offices and agencies making use of such outputs in the Union remain accountable to ensure their use complies with Union law. When those international agreements are revised or new ones are concluded in the future, the contracting parties should make utmost efforts to align those agreements with the requirements of this Regulation. (23) This Regulation should also apply to Union institutions, bodies, offices and agencies when acting as a provider or deployer of an AI system. (24) If, and insofar as, AI systems are placed on the market, put into service, or used with or without modification of such systems for military, defence or national security purposes, those should be excluded from the scope of this Regulation regardless of which type of entity is carrying out those activities, such as whether it is a public or private entity.
Show original text
AI systems designed for military, defense, or national security purposes are not covered by this Regulation, regardless of whether they are operated by public or private entities. This exclusion is supported by Article 4(2) of the Treaty on European Union (TEU) and the specific needs of Member States' defense policies, which are governed by international law. For national security, the exclusion is justified because it is the sole responsibility of Member States, as stated in Article 4(2) TEU, and due to the unique requirements of national security operations. However, if an AI system originally developed for military, defense, or national security purposes is later used for civilian, humanitarian, law enforcement, or public security purposes, it will then fall under this Regulation. In such cases, the entity using the AI system for these other purposes must ensure that it complies with the Regulation, unless it already meets the requirements. Additionally, AI systems that are marketed or used for both excluded (military, defense, national security) and non-excluded (civilian, law enforcement) purposes must comply with this Regulation, and the providers of these systems are responsible for ensuring compliance.
modification of such systems for military, defence or national security purposes, those should be excluded from the scope of this Regulation regardless of which type of entity is carrying out those activities, such as whether it is a public or private entity. As regards military and defence purposes, such exclusion is justified both by Article 4(2) TEU and by the specificities of the Member States’ and the common Union defence policy covered by Chapter 2 of Title V TEU that are subject to public international law, which is therefore the more appropriate legal framework for the regulation of AI systems in the context of the use of lethal force and other AI systems in the context of military and defence activities. As regards national security purposes, the exclusion is justified both by the fact that national security remains the sole responsibility of Member States in accordance with Article 4(2) TEU and by the specific nature and operational needs of national security activities and specific national rules applicable to those activities. Nonetheless, if an AI system developed, placed on the market, put into service or used for military, defence or national security purposes is used outside those temporarily or permanently for other purposes, for example, civilian or humanitarian purposes, law enforcement or public security purposes, such a system would fall within the scope of this Regulation. In that case, the entity using the AI system for other than military, defence or national security purposes should ensure the compliance of the AI system with this Regulation, unless the system is already compliant with this Regulation. AI systems placed on the market or put into service for an excluded purpose, namely military, defence or national security, and one or more non-excluded purposes, such as civilian purposes or law enforcement, fall within the scope of this Regulation and providers of those systems should ensure compliance with this Regulation.
Show original text
This Regulation applies to AI systems that serve both military, defense, or national security purposes (which are excluded) and civilian or law enforcement purposes (which are included). Providers of these systems must comply with the Regulation. However, the Regulation does not restrict entities from using AI systems for national security, military, or defense activities, even if those systems are also used for civilian purposes. If an AI system is designed for civilian or law enforcement use but is later used for military or national security purposes, it is not subject to this Regulation, regardless of who is using it. Additionally, this Regulation aims to promote innovation and protect scientific freedom, so AI systems created solely for scientific research and development are excluded from its scope. It is important that this Regulation does not interfere with research and development activities related to AI systems before they are marketed or put into use. For product-oriented research, testing, and development of AI systems, the Regulation does not apply until those systems are officially launched. However, once an AI system developed through research is marketed or used, it must comply with the Regulation, including any relevant provisions for AI regulatory sandboxes and real-world testing.
an excluded purpose, namely military, defence or national security, and one or more non-excluded purposes, such as civilian purposes or law enforcement, fall within the scope of this Regulation and providers of those systems should ensure compliance with this Regulation. In those cases, the fact that an AI system may fall within the scope of this Regulation should not affect the possibility of entities carrying out national security, defence and military activities, regardless of the type of entity carrying out those activities, to use AI systems for national security, military and defence purposes, the use of which is excluded from the scope of this Regulation. An AI system placed on the market for civilian or law enforcement purposes which is used with or without modification for military, defence or national security purposes should not fall within the scope of this Regulation, regardless of the type of entity carrying out those activities. (25) This Regulation should support innovation, should respect freedom of science, and should not undermine research and development activity. It is therefore necessary to exclude from its scope AI systems and models specifically developed and put into service for the sole purpose of scientific research and development. Moreover, it is necessary to ensure that this Regulation does not otherwise affect scientific research and development activity on AI systems or models prior to being placed on the market or put into service. As regards product-oriented research, testing and development activity regarding AI systems or models, the provisions of this Regulation should also not apply prior to those systems and models being put into service or placed on the market. That exclusion is without prejudice to the obligation to comply with this Regulation where an AI system falling into the scope of this Regulation is placed on the market or put into service as a result of such research and development activity and to the application of provisions on AI regulatory sandboxes and testing in real world conditions.
Show original text
This regulation applies to AI systems that are marketed or used as a result of research and development activities, including those tested in real-world conditions. AI systems specifically created for scientific research are excluded from this regulation, but other AI systems used in research must still comply with its provisions. All research and development must adhere to recognized ethical and professional standards and applicable EU laws. To create effective rules for AI systems, a risk-based approach will be used. This means that the rules will be tailored based on the level of risk posed by different AI systems. Certain harmful AI practices will be banned, high-risk AI systems will have specific requirements, and transparency obligations will be established for some AI systems. Additionally, while this risk-based approach is essential, it is important to remember the 2019 Ethics Guidelines for Trustworthy AI created by the independent AI High-Level Expert Group (HLEG) appointed by the Commission. These guidelines outline seven non-binding ethical principles to ensure that AI is trustworthy and ethically responsible.
where an AI system falling into the scope of this Regulation is placed on the market or put into service as a result of such research and development activity and to the application of provisions on AI regulatory sandboxes and testing in real world conditions. Furthermore, without prejudice to the exclusion of AI systems specifically developed and put into service for the sole purpose of scientific research and development, any other AI system that may be used for the conduct of any research and development activity should remain subject to the provisions of this Regulation. In any event, any research and development activity should be carried out in accordance with recognised ethical and professional standards for scientific research and should be conducted in accordance with applicable Union law. (26) In order to introduce a proportionate and effective set of binding rules for AI systems, a clearly defined risk-based approach should be followed. That approach should tailor the type and content of such rules to the intensity and scope of the risks that AI systems can generate. It is therefore necessary to prohibit certain unacceptable AI practices, to lay down requirements for high-risk AI systems and obligations for the relevant operators, and to lay down transparency obligations for certain AI systems. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 7/144 (27) While the risk-based approach is the basis for a proportionate and effective set of binding rules, it is important to recall the 2019 Ethics guidelines for trustworthy AI developed by the independent AI HLEG appointed by the Commission. In those guidelines, the AI HLEG developed seven non-binding ethical principles for AI which are intended to help ensure that AI is trustworthy and ethically sound.
Show original text
The independent AI High-Level Expert Group (AI HLEG), appointed by the Commission, has created guidelines for trustworthy AI. These guidelines outline seven ethical principles that are not legally binding but aim to ensure AI is reliable and ethical. The seven principles are: 1) Human agency and oversight, which means AI should serve people, respect human dignity, and be controllable by humans; 2) Technical robustness and safety, ensuring AI systems are reliable and resistant to misuse; 3) Privacy and data governance, which requires adherence to data protection laws and high standards for data quality; 4) Transparency, allowing users to understand and trace AI decisions, and informing them when they interact with AI; 5) Diversity, non-discrimination, and fairness; 6) Societal and environmental well-being; and 7) Accountability. These guidelines support the creation of AI that is coherent, trustworthy, and centered on human values, in line with the Charter and the principles of the Union.
guidelines for trustworthy AI developed by the independent AI HLEG appointed by the Commission. In those guidelines, the AI HLEG developed seven non-binding ethical principles for AI which are intended to help ensure that AI is trustworthy and ethically sound. The seven principles include human agency and oversight; technical robustness and safety; privacy and data governance; transparency; diversity, non-discrimination and fairness; societal and environmental well-being and accountability. Without prejudice to the legally binding requirements of this Regulation and any other applicable Union law, those guidelines contribute to the design of coherent, trustworthy and human-centric AI, in line with the Charter and with the values on which the Union is founded. According to the guidelines of the AI HLEG, human agency and oversight means that AI systems are developed and used as a tool that serves people, respects human dignity and personal autonomy, and that is functioning in a way that can be appropriately controlled and overseen by humans. Technical robustness and safety means that AI systems are developed and used in a way that allows robustness in the case of problems and resilience against attempts to alter the use or performance of the AI system so as to allow unlawful use by third parties, and minimise unintended harm. Privacy and data governance means that AI systems are developed and used in accordance with privacy and data protection rules, while processing data that meets high standards in terms of quality and integrity. Transparency means that AI systems are developed and used in a way that allows appropriate traceability and explainability, while making humans aware that they communicate or interact with an AI system, as well as duly informing deployers of the capabilities and limitations of that AI system and affected persons about their rights.
Show original text
AI systems should be designed to ensure traceability and explainability, making it clear to users when they are interacting with AI. Deployers must be informed about the AI's capabilities and limitations, and individuals should be aware of their rights. AI development must promote diversity, non-discrimination, and fairness, ensuring equal access, gender equality, and cultural diversity while avoiding biases that violate laws. Additionally, AI should be developed sustainably, benefiting society and the environment, with ongoing assessments of its long-term effects on individuals and democracy. These principles should guide the design and use of AI models and inform codes of conduct under this Regulation. All stakeholders, including industry, academia, civil society, and standardization organizations, are encouraged to adopt ethical principles in creating best practices and standards. However, AI can also be misused for manipulative and exploitative purposes, which contradicts Union values like human dignity, freedom, equality, democracy, and fundamental rights, including non-discrimination, data protection, privacy, and children's rights. Manipulative AI techniques can lead individuals to make unwanted decisions, undermining their autonomy and free choice.
way that allows appropriate traceability and explainability, while making humans aware that they communicate or interact with an AI system, as well as duly informing deployers of the capabilities and limitations of that AI system and affected persons about their rights. Diversity, non-discrimination and fairness means that AI systems are developed and used in a way that includes diverse actors and promotes equal access, gender equality and cultural diversity, while avoiding discriminatory impacts and unfair biases that are prohibited by Union or national law. Social and environmental well-being means that AI systems are developed and used in a sustainable and environmentally friendly manner as well as in a way to benefit all human beings, while monitoring and assessing the long-term impacts on the individual, society and democracy. The application of those principles should be translated, when possible, in the design and use of AI models. They should in any case serve as a basis for the drafting of codes of conduct under this Regulation. All stakeholders, including industry, academia, civil society and standardisation organisations, are encouraged to take into account, as appropriate, the ethical principles for the development of voluntary best practices and standards. (28) Aside from the many beneficial uses of AI, it can also be misused and provide novel and powerful tools for manipulative, exploitative and social control practices. Such practices are particularly harmful and abusive and should be prohibited because they contradict Union values of respect for human dignity, freedom, equality, democracy and the rule of law and fundamental rights enshrined in the Charter, including the right to non-discrimination, to data protection and to privacy and the rights of the child. (29) AI-enabled manipulative techniques can be used to persuade persons to engage in unwanted behaviours, or to deceive them by nudging them into decisions in a way that subverts and impairs their autonomy, decision-making and free choices.
Show original text
AI can use manipulative techniques to persuade people to do things they don't want to do or to trick them into making decisions that undermine their freedom and ability to choose. Certain AI systems that significantly distort human behavior and can cause serious harm—especially to physical or mental health or financial well-being—should be banned. These systems might use hidden audio, images, or videos that people can't consciously perceive, or other deceptive methods that affect their decision-making without their awareness. For example, technologies like machine-brain interfaces or virtual reality can control what people experience, potentially leading to harmful behavior changes. Additionally, AI can take advantage of people's vulnerabilities, such as age, disabilities (as defined by EU Directive 2019/882), or specific social or economic situations, making them more susceptible to exploitation, like those living in extreme poverty or belonging to ethnic or religious minorities.
29) AI-enabled manipulative techniques can be used to persuade persons to engage in unwanted behaviours, or to deceive them by nudging them into decisions in a way that subverts and impairs their autonomy, decision-making and free choices. The placing on the market, the putting into service or the use of certain AI systems with the objective to or the effect of materially distorting human behaviour, whereby significant harms, in particular having sufficiently important adverse impacts on physical, psychological health or financial interests are likely to occur, are particularly dangerous and should therefore be prohibited. Such AI systems deploy subliminal components such as audio, image, video stimuli that persons cannot perceive, as those stimuli are beyond human perception, or other manipulative or deceptive techniques that subvert or impair person’s autonomy, decision-making or free choice in ways that people are not consciously aware of those techniques or, where they are aware of them, can still be deceived or are not able to control or resist them. This could be facilitated, for example, by machine-brain interfaces or virtual reality as they allow for a higher degree of control of what stimuli are presented to persons, insofar as they may materially distort their behaviour in a significantly harmful manner. In addition, AI systems may also otherwise exploit the vulnerabilities of a person or a specific group of persons due to their age, disability within the meaning of Directive (EU) 2019/882 of the European Parliament and of the Council (16), or a specific social or economic situation that is likely to make those persons more vulnerable to exploitation such as persons living in extreme poverty, ethnic or religious minorities.
Show original text
According to Directive (EU) 2019/882 from the European Parliament and Council, certain AI systems can exploit vulnerable individuals, such as those living in extreme poverty or belonging to ethnic or religious minorities. These systems may be marketed or used in ways that significantly distort people's behavior, potentially causing harm to individuals or groups over time. Such practices should be banned. It's important to note that harm can occur even if the AI provider or user did not intend to cause it, especially if the harm arises from unforeseen external factors beyond their control.
2019/882 of the European Parliament and of the Council (16), or a specific social or economic situation that is likely to make those persons more vulnerable to exploitation such as persons living in extreme poverty, ethnic or religious minorities. Such AI systems can be placed on the market, put into service or used with the objective to or the effect of materially distorting the behaviour of a person and in a manner that causes or is reasonably likely to cause significant harm to that or another person or groups of persons, including harms that may be accumulated over time and should therefore be prohibited. It may not be possible to assume that there is an EN OJ L, 12.7.2024 8/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (16) Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services (OJ L 151, 7.6.2019, p. 70). intention to distort behaviour where the distortion results from factors external to the AI system which are outside the control of the provider or the deployer, namely factors that may not be reasonably foreseeable and therefore not possible for the provider or the deployer of the AI system to mitigate. In any case, it is not necessary for the provider or the deployer to have the intention to cause significant harm, provided that such harm results from the manipulative or exploitative AI-enabled practices.
Show original text
AI systems must be designed to prevent harm. It doesn't matter if the provider or user didn't intend to cause harm; if the AI's manipulative or exploitative practices lead to significant harm, it is still prohibited. These rules complement the European Parliament's Directive 2005/29/EC, which bans unfair commercial practices that harm consumers financially, regardless of whether they use AI or not. However, lawful medical practices, like psychological treatment or physical rehabilitation, are not affected by these prohibitions as long as they follow legal and medical standards, such as obtaining explicit consent from patients or their legal representatives. Additionally, common advertising practices that comply with the law are not considered harmful manipulative AI practices. Furthermore, using biometric data, like facial recognition or fingerprints, to infer someone's political beliefs, union membership, religion, race, sexual orientation, or personal life is prohibited. This ban does not apply to lawful categorization of biometric data, such as sorting images by hair or eye color for law enforcement purposes. Lastly, AI systems that score individuals socially, whether by public or private entities, can lead to discrimination and the exclusion of certain groups.
of the AI system to mitigate. In any case, it is not necessary for the provider or the deployer to have the intention to cause significant harm, provided that such harm results from the manipulative or exploitative AI-enabled practices. The prohibitions for such AI practices are complementary to the provisions contained in Directive 2005/29/EC of the European Parliament and of the Council (17), in particular unfair commercial practices leading to economic or financial harms to consumers are prohibited under all circumstances, irrespective of whether they are put in place through AI systems or otherwise. The prohibitions of manipulative and exploitative practices in this Regulation should not affect lawful practices in the context of medical treatment such as psychological treatment of a mental disease or physical rehabilitation, when those practices are carried out in accordance with the applicable law and medical standards, for example explicit consent of the individuals or their legal representatives. In addition, common and legitimate commercial practices, for example in the field of advertising, that comply with the applicable law should not, in themselves, be regarded as constituting harmful manipulative AI-enabled practices. (30) Biometric categorisation systems that are based on natural persons’ biometric data, such as an individual person’s face or fingerprint, to deduce or infer an individuals’ political opinions, trade union membership, religious or philosophical beliefs, race, sex life or sexual orientation should be prohibited. That prohibition should not cover the lawful labelling, filtering or categorisation of biometric data sets acquired in line with Union or national law according to biometric data, such as the sorting of images according to hair colour or eye colour, which can for example be used in the area of law enforcement. (31) AI systems providing social scoring of natural persons by public or private actors may lead to discriminatory outcomes and the exclusion of certain groups.
Show original text
AI systems that score individuals based on their social behavior or personal characteristics can lead to discrimination and the exclusion of certain groups. This can violate people's rights to dignity, equality, and justice. These systems assess individuals using various data points over time, which can result in unfair treatment in social situations unrelated to the original data. Therefore, such scoring practices should be banned, although lawful evaluations for specific purposes under Union and national law can continue. Additionally, using AI for real-time remote biometric identification in public spaces for law enforcement is highly intrusive. It can invade the privacy of many people, create a sense of constant surveillance, and discourage the exercise of fundamental rights like freedom of assembly. Furthermore, inaccuracies in these AI systems can lead to biased results, particularly affecting individuals based on age, ethnicity, race, sex, or disabilities.
hair colour or eye colour, which can for example be used in the area of law enforcement. (31) AI systems providing social scoring of natural persons by public or private actors may lead to discriminatory outcomes and the exclusion of certain groups. They may violate the right to dignity and non-discrimination and the values of equality and justice. Such AI systems evaluate or classify natural persons or groups thereof on the basis of multiple data points related to their social behaviour in multiple contexts or known, inferred or predicted personal or personality characteristics over certain periods of time. The social score obtained from such AI systems may lead to the detrimental or unfavourable treatment of natural persons or whole groups thereof in social contexts, which are unrelated to the context in which the data was originally generated or collected or to a detrimental treatment that is disproportionate or unjustified to the gravity of their social behaviour. AI systems entailing such unacceptable scoring practices and leading to such detrimental or unfavourable outcomes should therefore be prohibited. That prohibition should not affect lawful evaluation practices of natural persons that are carried out for a specific purpose in accordance with Union and national law. (32) The use of AI systems for ‘real-time’ remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement is particularly intrusive to the rights and freedoms of the concerned persons, to the extent that it may affect the private life of a large part of the population, evoke a feeling of constant surveillance and indirectly dissuade the exercise of the freedom of assembly and other fundamental rights. Technical inaccuracies of AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects. Such possible biased results and discriminatory effects are particularly relevant with regard to age, ethnicity, race, sex or disabilities.
Show original text
AI systems used for identifying people remotely can produce biased results and lead to discrimination, especially concerning age, ethnicity, race, sex, or disabilities. The immediate effects of these systems, along with limited chances for verification or correction during real-time use, pose significant risks to the rights and freedoms of individuals involved, particularly in law enforcement contexts. Therefore, using these systems for law enforcement should be banned, except in specific, narrowly defined situations where their use is essential for a significant public interest that outweighs the risks. These situations include searching for certain crime victims, threats to life or safety, or identifying suspects of serious crimes listed in an annex to this regulation, which are punishable by imprisonment in the relevant Member State.
AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects. Such possible biased results and discriminatory effects are particularly relevant with regard to age, ethnicity, race, sex or disabilities. In addition, the immediacy of the impact and the limited opportunities for further checks or corrections in relation to the use of such systems operating in real-time carry heightened risks for the rights and freedoms of the persons concerned in the context of, or impacted by, law enforcement activities. (33) The use of those systems for the purpose of law enforcement should therefore be prohibited, except in exhaustively listed and narrowly defined situations, where the use is strictly necessary to achieve a substantial public interest, the importance of which outweighs the risks. Those situations involve the search for certain victims of crime including missing persons; certain threats to the life or to the physical safety of natural persons or of a terrorist attack; and the localisation or identification of perpetrators or suspects of the criminal offences listed in an annex to this Regulation, where those criminal offences are punishable in the Member State concerned by a custodial sentence or a detention OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 9/144 (17) Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11
Show original text
The Unfair Commercial Practices Directive (Directive 2005/29/EC) and Regulation (EC) No 2006/2004 set guidelines for serious criminal offenses that may justify the use of real-time remote biometric identification systems. For a custodial sentence or detention order to be applicable, the offense must be serious enough and defined by the laws of the respective Member State, with a maximum period of at least four years. The list of offenses is based on 32 crimes from the Council Framework Decision 2002/584/JHA, recognizing that some offenses may require more immediate identification of suspects than others. Additionally, a serious disruption of critical infrastructure, as defined in Directive (EU) 2022/2557, could pose an imminent threat to life or safety, particularly if it affects essential services for the population or the core functions of the State.
/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’) (OJ L 149, 11.6.2005, p. 22). order for a maximum period of at least four years and as they are defined in the law of that Member State. Such a threshold for the custodial sentence or detention order in accordance with national law contributes to ensuring that the offence should be serious enough to potentially justify the use of ‘real-time’ remote biometric identification systems. Moreover, the list of criminal offences provided in an annex to this Regulation is based on the 32 criminal offences listed in the Council Framework Decision 2002/584/JHA (18), taking into account that some of those offences are, in practice, likely to be more relevant than others, in that the recourse to ‘real-time’ remote biometric identification could, foreseeably, be necessary and proportionate to highly varying degrees for the practical pursuit of the localisation or identification of a perpetrator or suspect of the different criminal offences listed and having regard to the likely differences in the seriousness, probability and scale of the harm or possible negative consequences. An imminent threat to life or the physical safety of natural persons could also result from a serious disruption of critical infrastructure, as defined in Article 2, point (4) of Directive (EU) 2022/2557 of the European Parliament and of the Council (19), where the disruption or destruction of such critical infrastructure would result in an imminent threat to life or the physical safety of a person, including through serious harm to the provision of basic supplies to the population or to the exercise of the core function of the State.
Show original text
The destruction of critical infrastructure poses an immediate threat to people's lives and safety, especially if it disrupts basic supplies or the essential functions of the State. This Regulation allows law enforcement, border control, immigration, and asylum authorities to conduct identity checks on individuals present, following Union and national laws. These authorities can use information systems to identify individuals who refuse to provide their identity or cannot do so due to circumstances like an accident or medical condition, without needing prior approval. To ensure responsible use of these systems, specific factors must be considered, including the nature of the situation and its impact on the rights of those involved. Additionally, 'real-time' remote biometric identification in public spaces for law enforcement should only be used to confirm the identity of a targeted individual and must be limited in time, location, and scope, based on evidence of threats or the identity of victims or perpetrators.
or destruction of such critical infrastructure would result in an imminent threat to life or the physical safety of a person, including through serious harm to the provision of basic supplies to the population or to the exercise of the core function of the State. In addition, this Regulation should preserve the ability for law enforcement, border control, immigration or asylum authorities to carry out identity checks in the presence of the person concerned in accordance with the conditions set out in Union and national law for such checks. In particular, law enforcement, border control, immigration or asylum authorities should be able to use information systems, in accordance with Union or national law, to identify persons who, during an identity check, either refuse to be identified or are unable to state or prove their identity, without being required by this Regulation to obtain prior authorisation. This could be, for example, a person involved in a crime, being unwilling, or unable due to an accident or a medical condition, to disclose their identity to law enforcement authorities. (34) In order to ensure that those systems are used in a responsible and proportionate manner, it is also important to establish that, in each of those exhaustively listed and narrowly defined situations, certain elements should be taken into account, in particular as regards the nature of the situation giving rise to the request and the consequences of the use for the rights and freedoms of all persons concerned and the safeguards and conditions provided for with the use. In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement should be deployed only to confirm the specifically targeted individual’s identity and should be limited to what is strictly necessary concerning the period of time, as well as the geographic and personal scope, having regard in particular to the evidence or indications regarding the threats, the victims or perpetrator.
Show original text
The identity of the targeted individual should only be collected as necessary, considering the time period, location, and personal details, especially in relation to any threats, victims, or perpetrators. The use of real-time remote biometric identification systems in public spaces must be approved by law enforcement authorities after conducting a fundamental rights impact assessment. Unless stated otherwise in this regulation, these systems must also be registered in a designated database. Each use of these systems for law enforcement must receive explicit authorization from a judicial or independent administrative authority in a Member State, and this approval should generally be obtained before using the AI system to identify individuals. Exceptions can be made in urgent situations where it is impossible to get prior authorization. In such cases, the use of the AI system must be limited to what is absolutely necessary and must follow appropriate safeguards as defined by national law. The law enforcement authority must request authorization as soon as possible, explaining why it could not be obtained earlier, and must do so within 24 hours.
the specifically targeted individual’s identity and should be limited to what is strictly necessary concerning the period of time, as well as the geographic and personal scope, having regard in particular to the evidence or indications regarding the threats, the victims or perpetrator. The use of the real-time remote biometric identification system in publicly accessible spaces should be authorised only if the relevant law enforcement authority has completed a fundamental rights impact assessment and, unless provided otherwise in this Regulation, has registered the system in the database as set out in this Regulation. The reference database of persons should be appropriate for each use case in each of the situations mentioned above. (35) Each use of a ‘real-time’ remote biometric identification system in publicly accessible spaces for the purpose of law enforcement should be subject to an express and specific authorisation by a judicial authority or by an independent administrative authority of a Member State whose decision is binding. Such authorisation should, in principle, be obtained prior to the use of the AI system with a view to identifying a person or persons. Exceptions to that rule should be allowed in duly justified situations on grounds of urgency, namely in situations where the need to use the systems concerned is such as to make it effectively and objectively impossible to obtain an authorisation before commencing the use of the AI system. In such situations of urgency, the use of the AI system should be restricted to the absolute minimum necessary and should be subject to appropriate safeguards and conditions, as determined in national law and specified in the context of each individual urgent use case by the law enforcement authority itself. In addition, the law enforcement authority should in such situations request such authorisation while providing the reasons for not having been able to request it earlier, without undue delay and at the latest within 24 hours.
Show original text
The law enforcement authority must request authorization for using real-time biometric identification systems as soon as possible, and no later than 24 hours after the initial use. They should explain why they couldn't request it earlier. If the authorization is denied, the use of the biometric system must stop immediately, and all related data must be deleted. This data includes information collected by the AI system and any results produced from its use, but it does not include data obtained legally under other laws. Additionally, no decisions that negatively affect a person can be made based solely on the results from the biometric identification system. To ensure compliance with this regulation and national laws, the relevant market surveillance authority and national data protection authority must be informed of each use of the biometric identification system.
the law enforcement authority itself. In addition, the law enforcement authority should in such situations request such authorisation while providing the reasons for not having been able to request it earlier, without undue delay and at the latest within 24 hours. If such an authorisation is rejected, the use of real-time biometric identification systems linked to that authorisation should cease with immediate effect and all the data related to such use should be discarded and deleted. Such data includes EN OJ L, 12.7.2024 10/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (18) Council Framework Decision 2002/584/JHA of 13 June 2002 on the European arrest warrant and the surrender procedures between Member States (OJ L 190, 18.7.2002, p. 1). (19) Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, p. 164). input data directly acquired by an AI system in the course of the use of such system as well as the results and outputs of the use linked to that authorisation. It should not include input that is legally acquired in accordance with another Union or national law. In any case, no decision producing an adverse legal effect on a person should be taken based solely on the output of the remote biometric identification system. (36) In order to carry out their tasks in accordance with the requirements set out in this Regulation as well as in national rules, the relevant market surveillance authority and the national data protection authority should be notified of each use of the real-time biometric identification system.
Show original text
To perform their duties according to this Regulation and national laws, the relevant market surveillance authority and national data protection authority must be informed each time the real-time biometric identification system is used. These authorities are required to submit an annual report to the Commission regarding the use of these systems. Additionally, the Regulation states that a Member State can only allow the use of real-time biometric identification if it has explicitly included this possibility in its national laws. Member States can choose not to allow this use at all or to limit it to specific justified purposes outlined in the Regulation. Any new national rules must be reported to the Commission within 30 days of being adopted. Using AI systems for real-time biometric identification in public spaces for law enforcement involves processing biometric data. The rules in this Regulation, which generally prohibit such use with some exceptions, take precedence over the rules on processing biometric data in Article 10 of Directive (EU) 2016/680, ensuring comprehensive regulation of this use and the associated data processing.
to carry out their tasks in accordance with the requirements set out in this Regulation as well as in national rules, the relevant market surveillance authority and the national data protection authority should be notified of each use of the real-time biometric identification system. Market surveillance authorities and the national data protection authorities that have been notified should submit to the Commission an annual report on the use of real-time biometric identification systems. (37) Furthermore, it is appropriate to provide, within the exhaustive framework set by this Regulation that such use in the territory of a Member State in accordance with this Regulation should only be possible where and in as far as the Member State concerned has decided to expressly provide for the possibility to authorise such use in its detailed rules of national law. Consequently, Member States remain free under this Regulation not to provide for such a possibility at all or to only provide for such a possibility in respect of some of the objectives capable of justifying authorised use identified in this Regulation. Such national rules should be notified to the Commission within 30 days of their adoption. (38) The use of AI systems for real-time remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement necessarily involves the processing of biometric data. The rules of this Regulation that prohibit, subject to certain exceptions, such use, which are based on Article 16 TFEU, should apply as lex specialis in respect of the rules on the processing of biometric data contained in Article 10 of Directive (EU) 2016/680, thus regulating such use and the processing of biometric data involved in an exhaustive manner.
Show original text
This regulation serves as a specific guideline for processing biometric data, as outlined in Article 10 of Directive (EU) 2016/680. It allows for the use and processing of biometric data only if it aligns with this regulation's framework. Outside of this framework, law enforcement authorities cannot use these systems or process data based on the reasons listed in Article 10 of Directive (EU) 2016/680. Additionally, this regulation does not provide a legal basis for processing personal data under Article 8 of the same directive. The use of real-time remote biometric identification systems in public spaces for non-law enforcement purposes, even by authorities, is not covered by this regulation's law enforcement framework. Therefore, such use does not require authorization under this regulation or any related national laws. Furthermore, any processing of biometric data and other personal data involved in AI systems for biometric identification, except for real-time remote identification in public spaces for law enforcement, must still comply with the requirements of Article 10 of Directive (EU) 2016/680.
as lex specialis in respect of the rules on the processing of biometric data contained in Article 10 of Directive (EU) 2016/680, thus regulating such use and the processing of biometric data involved in an exhaustive manner. Therefore, such use and processing should be possible only in as far as it is compatible with the framework set by this Regulation, without there being scope, outside that framework, for the competent authorities, where they act for purpose of law enforcement, to use such systems and process such data in connection thereto on the grounds listed in Article 10 of Directive (EU) 2016/680. In that context, this Regulation is not intended to provide the legal basis for the processing of personal data under Article 8 of Directive (EU) 2016/680. However, the use of real-time remote biometric identification systems in publicly accessible spaces for purposes other than law enforcement, including by competent authorities, should not be covered by the specific framework regarding such use for the purpose of law enforcement set by this Regulation. Such use for purposes other than law enforcement should therefore not be subject to the requirement of an authorisation under this Regulation and the applicable detailed rules of national law that may give effect to that authorisation. (39) Any processing of biometric data and other personal data involved in the use of AI systems for biometric identification, other than in connection to the use of real-time remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement as regulated by this Regulation, should continue to comply with all requirements resulting from Article 10 of Directive (EU) 2016/680.
Show original text
The use of real-time remote biometric identification systems in public spaces for law enforcement must follow the rules set out in Article 10 of Directive (EU) 2016/680. For other purposes, Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725 generally prohibit the processing of biometric data, with some exceptions. National data protection authorities have already banned the use of remote biometric identification for non-law enforcement purposes. According to Article 6a of Protocol No 21, Ireland is not required to follow certain rules in Article 5(1) regarding biometric categorization systems and AI systems used in police and judicial cooperation in criminal matters, as well as other related articles of this Regulation concerning personal data processing by Member States in specific judicial activities.
use of real-time remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement as regulated by this Regulation, should continue to comply with all requirements resulting from Article 10 of Directive (EU) 2016/680. For purposes other than law enforcement, Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725 prohibit the processing of biometric data subject to limited exceptions as provided in those Articles. In the application of Article 9(1) of Regulation (EU) 2016/679, the use of remote biometric identification for purposes other than law enforcement has already been subject to prohibition decisions by national data protection authorities. (40) In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, as annexed to the TEU and to the TFEU, Ireland is not bound by the rules laid down in Article 5(1), first subparagraph, point (g), to the extent it applies to the use of biometric categorisation systems for activities in the field of police cooperation and judicial cooperation in criminal matters, Article 5(1), first subparagraph, point (d), to the extent it applies to the use of AI systems covered by that provision, Article 5(1), first subparagraph, point (h), Article 5(2) to (6) and Article 26(10) of this Regulation adopted on the basis of Article 16 TFEU which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal
Show original text
Member States are not required to follow certain judicial and police cooperation rules when Ireland is involved in activities related to Chapters 4 or 5 of Title V of Part Three of the TFEU. Additionally, according to Articles 2 and 2a of Protocol No 22 regarding Denmark, Denmark is not obligated to comply with specific rules about biometric categorization systems and AI systems in police and judicial cooperation, as outlined in Article 5(1) of the Regulation adopted under Article 16 TFEU. Furthermore, it is important to uphold the presumption of innocence, meaning individuals in the Union should be judged based on their actual behavior.
by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU, where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16 TFEU. (41) In accordance with Articles 2 and 2a of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not bound by rules laid down in Article 5(1), first subparagraph, point (g), to the extent it applies to the use of biometric categorisation systems for activities in the field of police cooperation and judicial cooperation in criminal matters, Article 5(1), first subparagraph, point (d), to the extent it applies to the use of AI systems covered by that provision, Article 5(1), first subparagraph, point (h), (2) to (6) and Article 26(10) of this Regulation OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 11/144 adopted on the basis of Article 16 TFEU, or subject to their application, which relate to the processing of personal data by the Member States when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU. (42) In line with the presumption of innocence, natural persons in the Union should always be judged on their actual behaviour.
Show original text
Chapter 4 and Chapter 5 of Title V of Part Three of the TFEU outline important guidelines. According to the principle of presumption of innocence, individuals in the European Union should be judged based on their actual actions, not on AI predictions about their behavior derived from profiling or personal traits like nationality, birthplace, residence, number of children, debt level, or car type. There must be reasonable suspicion based on objective facts and human evaluation before judging someone. Therefore, risk assessments predicting criminal behavior based solely on profiling should be banned. However, this ban does not apply to risk analytics that do not involve profiling individuals, such as AI systems assessing the likelihood of financial fraud based on suspicious transactions or tools predicting the location of illegal goods based on known trafficking routes. Additionally, the use of AI systems that create or enhance facial recognition databases by indiscriminately collecting facial images from the internet or CCTV should be prohibited, as this contributes to mass surveillance and can violate fundamental rights, including privacy. There are also significant concerns about the reliability of AI systems designed to identify or interpret emotions, as emotional expressions can vary widely across different cultures and contexts, and even within the same person.
the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU. (42) In line with the presumption of innocence, natural persons in the Union should always be judged on their actual behaviour. Natural persons should never be judged on AI-predicted behaviour based solely on their profiling, personality traits or characteristics, such as nationality, place of birth, place of residence, number of children, level of debt or type of car, without a reasonable suspicion of that person being involved in a criminal activity based on objective verifiable facts and without human assessment thereof. Therefore, risk assessments carried out with regard to natural persons in order to assess the likelihood of their offending or to predict the occurrence of an actual or potential criminal offence based solely on profiling them or on assessing their personality traits and characteristics should be prohibited. In any case, that prohibition does not refer to or touch upon risk analytics that are not based on the profiling of individuals or on the personality traits and characteristics of individuals, such as AI systems using risk analytics to assess the likelihood of financial fraud by undertakings on the basis of suspicious transactions or risk analytic tools to predict the likelihood of the localisation of narcotics or illicit goods by customs authorities, for example on the basis of known trafficking routes. (43) The placing on the market, the putting into service for that specific purpose, or the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage, should be prohibited because that practice adds to the feeling of mass surveillance and can lead to gross violations of fundamental rights, including the right to privacy. (44) There are serious concerns about the scientific basis of AI systems aiming to identify or infer emotions, particularly as expression of emotions vary considerably across cultures and situations, and even within a single individual.
Show original text
There are significant concerns about the scientific validity of AI systems that try to identify or infer emotions. This is because emotional expressions can differ greatly across cultures, situations, and even within the same person. Key issues with these systems include their unreliability, lack of precision, and limited applicability. As a result, AI systems that use biometric data to determine emotions or intentions could lead to discrimination and violate individuals' rights and freedoms. In contexts like work or education, where there is often a power imbalance, these systems could result in unfair treatment of certain individuals or groups. Therefore, AI systems designed to detect emotional states in workplace or educational settings should be banned. However, this ban does not apply to AI systems intended for medical or safety purposes, such as those used in therapy. Additionally, practices that are already prohibited by EU laws, including data protection, non-discrimination, consumer protection, and competition laws, will not be affected by this regulation. High-risk AI systems can only be sold, used, or implemented in the EU if they meet specific mandatory requirements to ensure they do not pose unacceptable risks to important public interests protected by EU law.
fundamental rights, including the right to privacy. (44) There are serious concerns about the scientific basis of AI systems aiming to identify or infer emotions, particularly as expression of emotions vary considerably across cultures and situations, and even within a single individual. Among the key shortcomings of such systems are the limited reliability, the lack of specificity and the limited generalisability. Therefore, AI systems identifying or inferring emotions or intentions of natural persons on the basis of their biometric data may lead to discriminatory outcomes and can be intrusive to the rights and freedoms of the concerned persons. Considering the imbalance of power in the context of work or education, combined with the intrusive nature of these systems, such systems could lead to detrimental or unfavourable treatment of certain natural persons or whole groups thereof. Therefore, the placing on the market, the putting into service, or the use of AI systems intended to be used to detect the emotional state of individuals in situations related to the workplace and education should be prohibited. That prohibition should not cover AI systems placed on the market strictly for medical or safety reasons, such as systems intended for therapeutical use. (45) Practices that are prohibited by Union law, including data protection law, non-discrimination law, consumer protection law, and competition law, should not be affected by this Regulation. (46) High-risk AI systems should only be placed on the Union market, put into service or used if they comply with certain mandatory requirements. Those requirements should ensure that high-risk AI systems available in the Union or whose output is otherwise used in the Union do not pose unacceptable risks to important Union public interests as recognised and protected by Union law.
Show original text
Certain mandatory requirements must be followed to ensure that high-risk AI systems used in the European Union do not pose unacceptable risks to important public interests protected by EU law. According to the New Legislative Framework, as explained in the Commission's notice 'The Blue Guide on the implementation of EU product rules 2022', multiple EU laws can apply to a single product. This includes Regulations (EU) 2017/745 and (EU) 2017/746, as well as Directive 2006/42/EC, since a product can be made available or put into service under more than one legal act.
comply with certain mandatory requirements. Those requirements should ensure that high-risk AI systems available in the Union or whose output is otherwise used in the Union do not pose unacceptable risks to important Union public interests as recognised and protected by Union law. On the basis of the New Legislative Framework, as clarified in the Commission notice ‘The “Blue Guide” on the implementation of EU product rules 2022’ (20), the general rule is that more than one legal act of Union harmonisation legislation, such as Regulations (EU) 2017/745 (21) and (EU) 2017/746 (22) of the European Parliament and of the Council or Directive 2006/42/EC of the European Parliament and of the Council (23), may be applicable to one product, since the making available or putting into service can take EN OJ L, 12.7.2024 12/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (20) OJ C 247, 29.6.2022, p. 1. (21) Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1).
Show original text
Regulation (EC) No 1223/2009, which replaced Council Directives 90/385/EEC and 93/42/EEC, was published in the Official Journal on May 5, 2017. Additionally, Regulation (EU) 2017/746, concerning in vitro diagnostic medical devices, replaced Directive 98/79/EC and Commission Decision 2010/227/EU, also published on May 5, 2017. Furthermore, Directive 2006/42/EC, which addresses machinery and amends Directive 95/16/EC, was published on June 9, 2006. Products can only be placed on the market if they comply with all relevant EU harmonization laws. To reduce administrative burdens and costs, providers of products containing high-risk AI systems should have the flexibility to decide how to meet compliance requirements effectively. High-risk AI systems are those that could significantly harm the health, safety, and fundamental rights of individuals in the EU, and this limitation aims to minimize any negative impact on international trade. It's important to note that AI systems can pose risks to health and safety, especially when they are part of safety components in products.
EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1). (22) Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176). (23) Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (OJ L 157, 9.6.2006, p. 24). place only when the product complies with all applicable Union harmonisation legislation. To ensure consistency and avoid unnecessary administrative burdens or costs, providers of a product that contains one or more high-risk AI systems, to which the requirements of this Regulation and of the Union harmonisation legislation listed in an annex to this Regulation apply, should have flexibility with regard to operational decisions on how to ensure compliance of a product that contains one or more AI systems with all applicable requirements of the Union harmonisation legislation in an optimal manner. AI systems identified as high-risk should be limited to those that have a significant harmful impact on the health, safety and fundamental rights of persons in the Union and such limitation should minimise any potential restriction to international trade. (47) AI systems could have an adverse impact on the health and safety of persons, in particular when such systems operate as safety components of products.
Show original text
The Union aims to limit restrictions on international trade while ensuring the safety and health of its citizens. AI systems can pose risks, especially when they are part of safety features in products. To support the free movement of safe products in the market, it is crucial to address and reduce any safety risks associated with digital components, including AI. For example, autonomous robots used in manufacturing or personal care must operate safely in complex environments. In healthcare, advanced diagnostic systems must be reliable and accurate due to the high stakes involved. Additionally, when determining if an AI system is high risk, it is important to consider its potential negative effects on fundamental rights protected by the Charter. These rights include human dignity, privacy, data protection, freedom of expression, assembly, and association, non-discrimination, education, consumer protection, workers' rights, rights of persons with disabilities, gender equality, intellectual property rights, the right to a fair trial, and good administration.
of persons in the Union and such limitation should minimise any potential restriction to international trade. (47) AI systems could have an adverse impact on the health and safety of persons, in particular when such systems operate as safety components of products. Consistent with the objectives of Union harmonisation legislation to facilitate the free movement of products in the internal market and to ensure that only safe and otherwise compliant products find their way into the market, it is important that the safety risks that may be generated by a product as a whole due to its digital components, including AI systems, are duly prevented and mitigated. For instance, increasingly autonomous robots, whether in the context of manufacturing or personal assistance and care should be able to safely operate and performs their functions in complex environments. Similarly, in the health sector where the stakes for life and health are particularly high, increasingly sophisticated diagnostics systems and systems supporting human decisions should be reliable and accurate. (48) The extent of the adverse impact caused by the AI system on the fundamental rights protected by the Charter is of particular relevance when classifying an AI system as high risk. Those rights include the right to human dignity, respect for private and family life, protection of personal data, freedom of expression and information, freedom of assembly and of association, the right to non-discrimination, the right to education, consumer protection, workers’ rights, the rights of persons with disabilities, gender equality, intellectual property rights, the right to an effective remedy and to a fair trial, the right of defence and the presumption of innocence, and the right to good administration.
Show original text
This text discusses various rights, including the rights of people with disabilities, gender equality, intellectual property rights, the right to a fair trial, the right to defend oneself, the presumption of innocence, and the right to good administration. It also emphasizes that children have specific rights outlined in Article 24 of the Charter and the United Nations Convention on the Rights of the Child (UNCRC). These rights, further detailed in UNCRC General Comment No. 25 regarding the digital environment, recognize children's vulnerabilities and the need for protection and care for their well-being. Additionally, the Charter includes the fundamental right to a high level of environmental protection, which should be considered when evaluating the potential harm caused by AI systems, especially concerning health and safety. The text also mentions high-risk AI systems that are part of products or systems regulated by various European Union regulations and directives, including Regulation (EC) No. 300/2008, Regulation (EU) No. 167/2013, Regulation (EU) No. 168/2013, Directive 2014/90/EU, Directive (EU) 2016/797, Regulation (EU) 2018/858, and Regulation (EU) 2018/1139.
’ rights, the rights of persons with disabilities, gender equality, intellectual property rights, the right to an effective remedy and to a fair trial, the right of defence and the presumption of innocence, and the right to good administration. In addition to those rights, it is important to highlight the fact that children have specific rights as enshrined in Article 24 of the Charter and in the United Nations Convention on the Rights of the Child, further developed in the UNCRC General Comment No 25 as regards the digital environment, both of which require consideration of the children’s vulnerabilities and provision of such protection and care as necessary for their well-being. The fundamental right to a high level of environmental protection enshrined in the Charter and implemented in Union policies should also be considered when assessing the severity of the harm that an AI system can cause, including in relation to the health and safety of persons. (49) As regards high-risk AI systems that are safety components of products or systems, or which are themselves products or systems falling within the scope of Regulation (EC) No 300/2008 of the European Parliament and of the Council (24), Regulation (EU) No 167/2013 of the European Parliament and of the Council (25), Regulation (EU) No 168/2013 of the European Parliament and of the Council (26), Directive 2014/90/EU of the European Parliament and of the Council (27), Directive (EU) 2016/797 of the European Parliament and of the Council (28), Regulation (EU) 2018/858 of the European Parliament and of the Council (29), Regulation (EU) 2018/1139 of the OJ L, 12.7.
Show original text
This text references several regulations and directives from the European Parliament and Council. Key documents include: 1. Regulation (EU) 2018/858, 2. Regulation (EU) 2018/1139, 3. Regulation (EC) No 300/2008, which establishes common rules for civil aviation security and replaces Regulation (EC) No 2320/2002, 4. Regulation (EU) No 167/2013, concerning the approval and market surveillance of agricultural and forestry vehicles, 5. Regulation (EU) No 168/2013, related to the approval and market surveillance of two- or three-wheel vehicles and quadricycles, 6. Directive 2014/90/EU, which addresses marine equipment and replaces Council Directive 96/98/EC, 7. Directive (EU) 2016/797, focusing on the interoperability of the rail system within the EU.
of the Council (28), Regulation (EU) 2018/858 of the European Parliament and of the Council (29), Regulation (EU) 2018/1139 of the OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 13/144 (24) Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72). (25) Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1). (26) Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52). (27) Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146). (28) Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.
Show original text
Directive (EU) 2016/797, issued by the European Parliament and Council on May 11, 2016, focuses on making the rail system in the European Union interoperable (Official Journal L 138, 26.5.2016, p. 44). Regulation (EU) 2018/858, also from the European Parliament and Council, was enacted on May 30, 2018. It deals with the approval and market monitoring of motor vehicles, trailers, and their components, while updating previous regulations (Official Journal L 151, 14.6.2018, p. 1). Additionally, Regulation (EU) 2019/2144 requires amendments to ensure that the European Commission considers the specific technical and regulatory needs of each sector. This is to ensure compliance with the mandatory requirements for high-risk AI systems outlined in this Regulation, without disrupting existing governance and enforcement mechanisms. Furthermore, AI systems that are safety components of products or are products themselves will be classified as high-risk if they are subject to conformity assessment by a third-party body under relevant EU harmonization legislation.
) Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44). (29) Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1). European Parliament and of the Council (30), and Regulation (EU) 2019/2144 of the European Parliament and of the Council (31), it is appropriate to amend those acts to ensure that the Commission takes into account, on the basis of the technical and regulatory specificities of each sector, and without interfering with existing governance, conformity assessment and enforcement mechanisms and authorities established therein, the mandatory requirements for high-risk AI systems laid down in this Regulation when adopting any relevant delegated or implementing acts on the basis of those acts. (50) As regards AI systems that are safety components of products, or which are themselves products, falling within the scope of certain Union harmonisation legislation listed in an annex to this Regulation, it is appropriate to classify them as high-risk under this Regulation if the product concerned undergoes the conformity assessment procedure with a third-party conformity assessment body pursuant to that relevant Union harmonisation legislation.
Show original text
Products listed in the annex of this Regulation are classified as high-risk if they go through a conformity assessment with a third-party body according to relevant EU harmonization laws. These products include machinery, toys, lifts, equipment for explosive environments, radio equipment, pressure equipment, recreational craft, cableway systems, gas-burning appliances, medical devices, in vitro diagnostic devices, and automotive and aviation products. However, classifying an AI system as high-risk under this Regulation does not automatically mean that the product it is part of, or the AI system itself, is considered high-risk according to the relevant EU laws. This is particularly true for Regulations (EU) 2017/745 and (EU) 2017/746, which allow for third-party assessments for medium and high-risk products. For stand-alone high-risk AI systems, which are not safety components of other products, they should be classified as high-risk if their intended use poses a significant risk to health, safety, or fundamental rights. This classification considers both the severity and likelihood of potential harm and applies to specific areas defined in this Regulation.
isation legislation listed in an annex to this Regulation, it is appropriate to classify them as high-risk under this Regulation if the product concerned undergoes the conformity assessment procedure with a third-party conformity assessment body pursuant to that relevant Union harmonisation legislation. In particular, such products are machinery, toys, lifts, equipment and protective systems intended for use in potentially explosive atmospheres, radio equipment, pressure equipment, recreational craft equipment, cableway installations, appliances burning gaseous fuels, medical devices, in vitro diagnostic medical devices, automotive and aviation. (51) The classification of an AI system as high-risk pursuant to this Regulation should not necessarily mean that the product whose safety component is the AI system, or the AI system itself as a product, is considered to be high-risk under the criteria established in the relevant Union harmonisation legislation that applies to the product. This is, in particular, the case for Regulations (EU) 2017/745 and (EU) 2017/746, where a third-party conformity assessment is provided for medium-risk and high-risk products. (52) As regards stand-alone AI systems, namely high-risk AI systems other than those that are safety components of products, or that are themselves products, it is appropriate to classify them as high-risk if, in light of their intended purpose, they pose a high risk of harm to the health and safety or the fundamental rights of persons, taking into account both the severity of the possible harm and its probability of occurrence and they are used in a number of specifically pre-defined areas specified in this Regulation.
Show original text
This regulation assesses the risk of harm to people's health, safety, or fundamental rights by considering both how severe the potential harm could be and how likely it is to happen. It focuses on specific areas defined in the regulation. The identification of high-risk AI systems follows a set methodology and criteria, which will also apply to any future updates to the list of high-risk AI systems. The Commission has the authority to make these updates through delegated acts to keep pace with rapid technological advancements and changes in AI usage. It's important to note that some AI systems in these defined areas may not pose a significant risk to legal interests if they do not significantly affect decision-making. For this regulation, an AI system is considered to not materially influence decision-making if it does not impact the substance or outcome of decisions, whether made by humans or automated processes. Examples of such AI systems include those that perform narrow tasks, like converting unstructured data into structured data, classifying documents, or identifying duplicate applications. These limited tasks carry minimal risks, even when used in high-risk contexts outlined in the regulation.
risk of harm to the health and safety or the fundamental rights of persons, taking into account both the severity of the possible harm and its probability of occurrence and they are used in a number of specifically pre-defined areas specified in this Regulation. The identification of those systems is based on the same methodology and criteria envisaged also for any future amendments of the list of high-risk AI systems that the Commission should be empowered to adopt, via delegated acts, to take into account the rapid pace of technological development, as well as the potential changes in the use of AI systems. (53) It is also important to clarify that there may be specific cases in which AI systems referred to in pre-defined areas specified in this Regulation do not lead to a significant risk of harm to the legal interests protected under those areas because they do not materially influence the decision-making or do not harm those interests substantially. For the purposes of this Regulation, an AI system that does not materially influence the outcome of decision-making should be understood to be an AI system that does not have an impact on the substance, and thereby the outcome, of decision-making, whether human or automated. An AI system that does not materially influence the outcome of decision-making could include situations in which one or more of the following conditions are fulfilled. The first such condition should be that the AI system is intended to perform a narrow procedural task, such as an AI system that transforms unstructured data into structured data, an AI system that classifies incoming documents into categories or an AI system that is used to detect duplicates among a large number of applications. Those tasks are of such narrow and limited nature that they pose only limited risks which are not increased through the use of an AI system in a context that is listed as a high-risk use in an annex to this Regulation. The second condition should be EN OJ L, 12.7.
Show original text
There are only limited risks associated with using an AI system in high-risk situations as defined in an annex to this Regulation. The second condition is outlined in Regulation (EU) 2018/1139, which was established by the European Parliament and Council on July 4, 2018. This regulation sets common rules for civil aviation and creates the European Union Aviation Safety Agency. It also amends several previous regulations and directives related to aviation safety. Additionally, Regulation (EU) 2019/2144, enacted on November 27, 2019, addresses type-approval requirements for motor vehicles and their trailers, focusing on general safety and the protection of vehicle occupants and vulnerable road users. This regulation also amends and repeals earlier regulations concerning vehicle safety.
only limited risks which are not increased through the use of an AI system in a context that is listed as a high-risk use in an annex to this Regulation. The second condition should be EN OJ L, 12.7.2024 14/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (30) Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1). (31) Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council
Show original text
The European Parliament and the Council have repealed several regulations, including Regulations (EC) No 78/2009, (EC) No 79/2009, and (EC) No 661/2009, as well as Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012, and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1). The AI system's role is to enhance the results of tasks previously done by humans, particularly for high-risk applications listed in an annex of this Regulation. This means the AI adds an extra layer to human work, which reduces risk. For example, AI can improve the language in documents by refining the professional tone, academic style, or aligning the text with specific brand messaging. Additionally, the AI system should be designed to identify patterns in decision-making or notice deviations from past decisions.
the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1). that the task performed by the AI system is intended to improve the result of a previously completed human activity that may be relevant for the purposes of the high-risk uses listed in an annex to this Regulation. Considering those characteristics, the AI system provides only an additional layer to a human activity with consequently lowered risk. That condition would, for example, apply to AI systems that are intended to improve the language used in previously drafted documents, for example in relation to professional tone, academic style of language or by aligning text to a certain brand messaging. The third condition should be that the AI system is intended to detect decision-making patterns or deviations from prior decision-making patterns.
Show original text
AI systems should meet certain conditions to ensure they are safe and effective. First, they should maintain a professional tone and academic language, and align with specific brand messaging. Second, these systems should be designed to identify patterns in decision-making or any changes from previous patterns. This reduces risk because the AI is used after a human assessment, which it does not replace or influence without proper review. For example, an AI can analyze a teacher's grading patterns to identify any inconsistencies. Third, the AI should only perform tasks that prepare for an assessment relevant to specific regulations, minimizing the risk of its output affecting the final assessment. This includes smart file handling solutions like indexing, searching, and translating documents. Lastly, AI systems used in high-risk scenarios, as listed in the regulations, can pose significant risks to health, safety, or fundamental rights, especially if they involve profiling as defined in EU regulations.
, for example in relation to professional tone, academic style of language or by aligning text to a certain brand messaging. The third condition should be that the AI system is intended to detect decision-making patterns or deviations from prior decision-making patterns. The risk would be lowered because the use of the AI system follows a previously completed human assessment which it is not meant to replace or influence, without proper human review. Such AI systems include for instance those that, given a certain grading pattern of a teacher, can be used to check ex post whether the teacher may have deviated from the grading pattern so as to flag potential inconsistencies or anomalies. The fourth condition should be that the AI system is intended to perform a task that is only preparatory to an assessment relevant for the purposes of the AI systems listed in an annex to this Regulation, thus making the possible impact of the output of the system very low in terms of representing a risk for the assessment to follow. That condition covers, inter alia, smart solutions for file handling, which include various functions from indexing, searching, text and speech processing or linking data to other data sources, or AI systems used for translation of initial documents. In any case, AI systems used in high-risk use-cases listed in an annex to this Regulation should be considered to pose significant risks of harm to the health, safety or fundamental rights if the AI system implies profiling within the meaning of Article 4, point (4) of Regulation (EU) 2016/679 or Article 3, point (4) of Directive (EU) 2016/680 or Article 3, point (5) of Regulation (EU) 2018/1725.
Show original text
Regulation (EU) 2016/679, Article 3, point (4) of Directive (EU) 2016/680, and Article 3, point (5) of Regulation (EU) 2018/1725 require that if a provider believes their AI system is not high-risk, they must document their assessment before the system is sold or used. This documentation must be available to national authorities if requested. Additionally, the provider must register the AI system in the EU database created by this Regulation. To help with the practical application of these rules, the Commission will provide guidelines, after consulting the Board, that include examples of both high-risk and non-high-risk AI systems. Biometric data is considered a special type of personal data, and many critical uses of biometric systems are classified as high-risk, as long as they comply with relevant EU and national laws. AI systems used for remote biometric identification can produce inaccurate results, leading to bias and discrimination based on age, ethnicity, race, sex, or disabilities. Therefore, these remote biometric identification systems are classified as high-risk due to the potential dangers they pose.
Regulation (EU) 2016/679 or Article 3, point (4) of Directive (EU) 2016/680 or Article 3, point (5) of Regulation (EU) 2018/1725. To ensure traceability and transparency, a provider who considers that an AI system is not high-risk on the basis of the conditions referred to above should draw up documentation of the assessment before that system is placed on the market or put into service and should provide that documentation to national competent authorities upon request. Such a provider should be obliged to register the AI system in the EU database established under this Regulation. With a view to providing further guidance for the practical implementation of the conditions under which the AI systems listed in an annex to this Regulation are, on an exceptional basis, non-high-risk, the Commission should, after consulting the Board, provide guidelines specifying that practical implementation, completed by a comprehensive list of practical examples of use cases of AI systems that are high-risk and use cases that are not. (54) As biometric data constitutes a special category of personal data, it is appropriate to classify as high-risk several critical-use cases of biometric systems, insofar as their use is permitted under relevant Union and national law. Technical inaccuracies of AI systems intended for the remote biometric identification of natural persons can lead to biased results and entail discriminatory effects. The risk of such biased results and discriminatory effects is particularly relevant with regard to age, ethnicity, race, sex or disabilities. Remote biometric identification systems should therefore be classified as high-risk in view of the risks that they pose.
Show original text
The risk of biased results and discrimination is especially important when it comes to age, ethnicity, race, sex, or disabilities. Therefore, remote biometric identification systems should be considered high-risk due to these potential dangers. However, AI systems used solely for biometric verification—like confirming a person's identity for accessing services, unlocking devices, or entering secure areas—are not classified as high-risk. Additionally, AI systems that categorize individuals based on sensitive attributes protected under Article 9(1) of Regulation (EU) 2016/679, as well as emotion recognition systems that comply with this regulation, should be classified as high-risk. On the other hand, biometric systems designed only for cybersecurity and personal data protection are not considered high-risk AI systems. Furthermore, AI systems used as safety components in managing critical infrastructure—such as digital infrastructure, road traffic, and the supply of water, gas, heating, and electricity—should also be classified as high-risk. This is because any failure in these systems could endanger lives and disrupt social and economic activities significantly.
effects. The risk of such biased results and discriminatory effects is particularly relevant with regard to age, ethnicity, race, sex or disabilities. Remote biometric identification systems should therefore be classified as high-risk in view of the risks that they pose. Such a classification excludes AI systems intended to be used for biometric verification, including authentication, the sole purpose of which is to confirm that a specific natural person is who that person claims to be and to confirm the identity of a natural person for the sole purpose of having access to a service, unlocking a device or having secure access to premises. In addition, AI systems intended to be used for biometric categorisation according to sensitive attributes or characteristics protected under Article 9(1) of Regulation (EU) 2016/679 on the basis of biometric data, in so far as these are not prohibited under this Regulation, and emotion recognition systems that are not prohibited under this Regulation, should be classified as high-risk. Biometric systems which are intended to be used solely for the purpose of enabling cybersecurity and personal data protection measures should not be considered to be high-risk AI systems. (55) As regards the management and operation of critical infrastructure, it is appropriate to classify as high-risk the AI systems intended to be used as safety components in the management and operation of critical digital infrastructure as listed in point (8) of the Annex to Directive (EU) 2022/2557, road traffic and the supply of water, gas, heating and electricity, since their failure or malfunctioning may put at risk the life and health of persons at large scale and lead to appreciable disruptions in the ordinary conduct of social and economic activities.
Show original text
The supply of water, gas, heating, and electricity is crucial because their failure can endanger people's lives and health on a large scale, disrupting everyday social and economic activities. Safety components of critical infrastructure, including digital systems, are designed to protect the physical integrity of this infrastructure and ensure the safety of people and property, but they are not essential for the system's basic operation. If these safety components fail, they can pose risks to both the infrastructure and public safety. However, components meant only for cybersecurity do not count as safety components. Examples of safety components include systems that monitor water pressure or fire alarm systems in cloud computing centers. The use of AI systems in education is vital for providing high-quality digital education and training. These systems help learners and teachers develop essential digital skills, such as media literacy and critical thinking, which are necessary for participating in the economy, society, and democratic processes. However, AI systems that determine access to educational programs, evaluate learning outcomes, assess individual education levels, or monitor student behavior during tests should be considered high-risk. This is because they can significantly influence a person's educational and professional path.
the supply of water, gas, heating and electricity, since their failure or malfunctioning may put at risk the life and health of persons at large scale and lead to appreciable disruptions in the ordinary conduct of social and economic activities. Safety components of critical infrastructure, including critical digital infrastructure, are systems used to directly protect the physical integrity of critical infrastructure or the health and safety of persons and property but which are not necessary in order for the OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 15/144 system to function. The failure or malfunctioning of such components might directly lead to risks to the physical integrity of critical infrastructure and thus to risks to health and safety of persons and property. Components intended to be used solely for cybersecurity purposes should not qualify as safety components. Examples of safety components of such critical infrastructure may include systems for monitoring water pressure or fire alarm controlling systems in cloud computing centres. (56) The deployment of AI systems in education is important to promote high-quality digital education and training and to allow all learners and teachers to acquire and share the necessary digital skills and competences, including media literacy, and critical thinking, to take an active part in the economy, society, and in democratic processes. However, AI systems used in education or vocational training, in particular for determining access or admission, for assigning persons to educational and vocational training institutions or programmes at all levels, for evaluating learning outcomes of persons, for assessing the appropriate level of education for an individual and materially influencing the level of education and training that individuals will receive or will be able to access or for monitoring and detecting prohibited behaviour of students during tests should be classified as high-risk AI systems, since they may determine the educational and professional course of a person’s life and therefore may
Show original text
AI systems that monitor students during tests or assess their behavior should be considered high-risk because they can significantly impact a person's education and career, potentially affecting their ability to earn a living. If these systems are not designed and used properly, they can invade privacy and violate rights to education and non-discrimination, particularly affecting women, certain age groups, people with disabilities, and individuals from specific racial, ethnic, or sexual orientation backgrounds. Similarly, AI systems used in hiring, managing employees, and self-employment should also be classified as high-risk. These systems can influence job prospects, workers' rights, and livelihoods. It is important that employees and service providers are meaningfully involved in work-related decisions, as these systems can reinforce existing discrimination patterns against various groups. Additionally, AI systems that monitor employee performance may infringe on their rights to data protection and privacy.
that individuals will receive or will be able to access or for monitoring and detecting prohibited behaviour of students during tests should be classified as high-risk AI systems, since they may determine the educational and professional course of a person’s life and therefore may affect that person’s ability to secure a livelihood. When improperly designed and used, such systems may be particularly intrusive and may violate the right to education and training as well as the right not to be discriminated against and perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. (57) AI systems used in employment, workers management and access to self-employment, in particular for the recruitment and selection of persons, for making decisions affecting terms of the work-related relationship, promotion and termination of work-related contractual relationships, for allocating tasks on the basis of individual behaviour, personal traits or characteristics and for monitoring or evaluation of persons in work-related contractual relationships, should also be classified as high-risk, since those systems may have an appreciable impact on future career prospects, livelihoods of those persons and workers’ rights. Relevant work-related contractual relationships should, in a meaningful manner, involve employees and persons providing services through platforms as referred to in the Commission Work Programme 2021. Throughout the recruitment process and in the evaluation, promotion, or retention of persons in work-related contractual relationships, such systems may perpetuate historical patterns of discrimination, for example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. AI systems used to monitor the performance and behaviour of such persons may also undermine their fundamental rights to data protection and privacy.
Show original text
AI systems can negatively affect certain groups, including women, people of specific ages, individuals with disabilities, and those from particular racial, ethnic, or sexual orientation backgrounds. These systems may violate their rights to data protection and privacy. AI's role in accessing essential public and private services is also important. People who rely on public assistance, such as healthcare, social security, and housing support, are often in vulnerable situations. If AI is used to decide whether these benefits should be granted or taken away, it can significantly impact their lives and violate their rights to social protection, non-discrimination, and dignity. Therefore, these AI systems should be considered high-risk. However, this regulation should not prevent the development of innovative and safe AI solutions in public administration, as long as they do not pose high risks to individuals or legal entities. Additionally, AI systems that assess credit scores or creditworthiness should also be classified as high-risk, as they affect access to financial resources and essential services like housing, electricity, and telecommunications.
example against women, certain age groups, persons with disabilities, or persons of certain racial or ethnic origins or sexual orientation. AI systems used to monitor the performance and behaviour of such persons may also undermine their fundamental rights to data protection and privacy. (58) Another area in which the use of AI systems deserves special consideration is the access to and enjoyment of certain essential private and public services and benefits necessary for people to fully participate in society or to improve one’s standard of living. In particular, natural persons applying for or receiving essential public assistance benefits and services from public authorities namely healthcare services, social security benefits, social services providing protection in cases such as maternity, illness, industrial accidents, dependency or old age and loss of employment and social and housing assistance, are typically dependent on those benefits and services and in a vulnerable position in relation to the responsible authorities. If AI systems are used for determining whether such benefits and services should be granted, denied, reduced, revoked or reclaimed by authorities, including whether beneficiaries are legitimately entitled to such benefits or services, those systems may have a significant impact on persons’ livelihood and may infringe their fundamental rights, such as the right to social protection, non-discrimination, human dignity or an effective remedy and should therefore be classified as high-risk. Nonetheless, this Regulation should not hamper the development and use of innovative approaches in the public administration, which would stand to benefit from a wider use of compliant and safe AI systems, provided that those systems do not entail a high risk to legal and natural persons. In addition, AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons’ access to financial resources or essential services such as housing, electricity, and telecommunication services.
Show original text
AI systems that assess the credit scores or creditworthiness of individuals should be labeled as high-risk because they influence access to financial resources and essential services like housing, electricity, and telecommunications. These systems can lead to discrimination against individuals or groups based on factors such as race, ethnicity, gender, disabilities, age, or sexual orientation, and may also create new forms of discrimination. However, AI systems used under Union law to detect fraud in financial services and to calculate capital requirements for banks and insurance companies are not considered high-risk under this regulation. Additionally, AI systems used for risk assessment and pricing in health and life insurance can significantly affect people's lives and, if not properly designed, may violate their fundamental rights, leading to financial exclusion and discrimination. Lastly, AI systems that evaluate and prioritize emergency calls or dispatch emergency services, including police, firefighters, and medical aid, should also be classified as high-risk due to their critical role in life-and-death situations.
AI systems used to evaluate the credit score or creditworthiness of natural persons should be classified as high-risk AI systems, since they determine those persons’ access to financial resources or essential services such as housing, electricity, and telecommunication services. AI systems used for those purposes may lead to discrimination between persons or groups and may perpetuate historical patterns of discrimination, such as that based on racial or ethnic origins, gender, disabilities, age or sexual orientation, or may create new forms of discriminatory impacts. However, AI systems provided for by Union law for the purpose of detecting fraud in the offering of financial services and for prudential purposes to calculate credit institutions’ and insurance undertakings’ capital requirements should not be considered to be high-risk under this Regulation. Moreover, AI systems intended EN OJ L, 12.7.2024 16/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj to be used for risk assessment and pricing in relation to natural persons for health and life insurance can also have a significant impact on persons’ livelihood and if not duly designed, developed and used, can infringe their fundamental rights and can lead to serious consequences for people’s life and health, including financial exclusion and discrimination. Finally, AI systems used to evaluate and classify emergency calls by natural persons or to dispatch or establish priority in the dispatching of emergency first response services, including by police, firefighters and medical aid, as well as of emergency healthcare patient triage systems, should also be classified as high-risk since they make decisions in very critical situations for the life and health of persons and their property.
Show original text
Services provided by police, firefighters, and medical aid, as well as emergency healthcare patient triage systems, should be considered high-risk. This is because they make critical decisions that affect people's lives, health, and property. Actions taken by law enforcement using certain AI systems can create a power imbalance and may result in surveillance, arrests, or loss of personal freedom, which can negatively impact fundamental rights protected by the Charter. If an AI system is not trained with high-quality data, lacks proper performance, accuracy, or robustness, or is not adequately designed and tested before use, it may unfairly target individuals in a discriminatory way. Additionally, important rights such as the right to an effective remedy, a fair trial, the right to defend oneself, and the presumption of innocence could be compromised if these AI systems lack transparency, explainability, and proper documentation. Therefore, it is appropriate to classify certain AI systems used in law enforcement as high-risk, as their accuracy, reliability, and transparency are crucial to prevent negative consequences, maintain public trust, and ensure accountability and effective remedies.
services, including by police, firefighters and medical aid, as well as of emergency healthcare patient triage systems, should also be classified as high-risk since they make decisions in very critical situations for the life and health of persons and their property. (59) Given their role and responsibility, actions by law enforcement authorities involving certain uses of AI systems are characterised by a significant degree of power imbalance and may lead to surveillance, arrest or deprivation of a natural person’s liberty as well as other adverse impacts on fundamental rights guaranteed in the Charter. In particular, if the AI system is not trained with high-quality data, does not meet adequate requirements in terms of its performance, its accuracy or robustness, or is not properly designed and tested before being put on the market or otherwise put into service, it may single out people in a discriminatory or otherwise incorrect or unjust manner. Furthermore, the exercise of important procedural fundamental rights, such as the right to an effective remedy and to a fair trial as well as the right of defence and the presumption of innocence, could be hampered, in particular, where such AI systems are not sufficiently transparent, explainable and documented. It is therefore appropriate to classify as high-risk, insofar as their use is permitted under relevant Union and national law, a number of AI systems intended to be used in the law enforcement context where accuracy, reliability and transparency is particularly important to avoid adverse impacts, retain public trust and ensure accountability and effective redress.
Show original text
Under relevant Union and national laws, certain AI systems are allowed for use in law enforcement, where accuracy, reliability, and transparency are crucial to maintain public trust and ensure accountability. High-risk AI systems include those used by law enforcement authorities or Union institutions to assess the risk of individuals becoming victims of crimes, such as polygraphs and similar tools. These systems may also evaluate the reliability of evidence during criminal investigations or prosecutions. However, they should not solely rely on profiling individuals based on personality traits or past criminal behavior. AI systems used for administrative tasks by tax and customs authorities or financial intelligence units under anti-money laundering laws are not classified as high-risk for law enforcement purposes. The use of AI by law enforcement should not create inequality or exclusion. It is important to consider how AI tools affect the defense rights of suspects, especially regarding their ability to understand and challenge the results of these systems in court.
permitted under relevant Union and national law, a number of AI systems intended to be used in the law enforcement context where accuracy, reliability and transparency is particularly important to avoid adverse impacts, retain public trust and ensure accountability and effective redress. In view of the nature of the activities and the risks relating thereto, those high-risk AI systems should include in particular AI systems intended to be used by or on behalf of law enforcement authorities or by Union institutions, bodies, offices, or agencies in support of law enforcement authorities for assessing the risk of a natural person to become a victim of criminal offences, as polygraphs and similar tools, for the evaluation of the reliability of evidence in in the course of investigation or prosecution of criminal offences, and, insofar as not prohibited under this Regulation, for assessing the risk of a natural person offending or reoffending not solely on the basis of the profiling of natural persons or the assessment of personality traits and characteristics or the past criminal behaviour of natural persons or groups, for profiling in the course of detection, investigation or prosecution of criminal offences. AI systems specifically intended to be used for administrative proceedings by tax and customs authorities as well as by financial intelligence units carrying out administrative tasks analysing information pursuant to Union anti-money laundering law should not be classified as high-risk AI systems used by law enforcement authorities for the purpose of prevention, detection, investigation and prosecution of criminal offences. The use of AI tools by law enforcement and other relevant authorities should not become a factor of inequality, or exclusion. The impact of the use of AI tools on the defence rights of suspects should not be ignored, in particular the difficulty in obtaining meaningful information on the functioning of those systems and the resulting difficulty in challenging their results in court, in particular by natural persons under investigation.
Show original text
The use of AI tools in the defense rights of suspects is important and should not be overlooked. There are challenges in understanding how these systems work, which makes it hard for individuals under investigation to contest their results in court. AI systems used in migration, asylum, and border control impact vulnerable individuals who rely on the decisions made by public authorities. Therefore, it is crucial that these AI systems are accurate, non-discriminatory, and transparent to protect the fundamental rights of these individuals, including their rights to free movement, non-discrimination, privacy, international protection, and fair administration. AI systems used by public authorities or EU institutions in migration, asylum, and border control should be classified as high-risk. This includes tools like polygraphs that assess risks for individuals entering a Member State or applying for visas or asylum. These systems should also help authorities evaluate applications for asylum, visas, and residence permits, and assist in identifying individuals in migration contexts, excluding travel document verification. AI systems in this area must comply with the procedural requirements set by Regulation (EC) No 810/2009 of the European Parliament.
AI tools on the defence rights of suspects should not be ignored, in particular the difficulty in obtaining meaningful information on the functioning of those systems and the resulting difficulty in challenging their results in court, in particular by natural persons under investigation. (60) AI systems used in migration, asylum and border control management affect persons who are often in particularly vulnerable position and who are dependent on the outcome of the actions of the competent public authorities. The accuracy, non-discriminatory nature and transparency of the AI systems used in those contexts are therefore particularly important to guarantee respect for the fundamental rights of the affected persons, in particular their rights to free movement, non-discrimination, protection of private life and personal data, international protection and good administration. It is therefore appropriate to classify as high-risk, insofar as their use is permitted under relevant Union and national law, AI systems intended to be used by or on behalf of competent public authorities or by Union institutions, bodies, offices or agencies charged with tasks in the fields of migration, asylum and border control management as polygraphs and similar tools, for assessing certain risks posed by natural persons entering the territory of a Member State or applying for visa or asylum, for assisting competent public authorities for the examination, including related assessment of the reliability of evidence, of applications for asylum, visa and residence permits and associated complaints with regard to the objective to establish the eligibility of the natural persons applying for a status, for the purpose of detecting, recognising or identifying natural persons in the context of migration, asylum and border control management, with the exception of verification of travel documents. AI systems in the area of migration, asylum and border control management covered by this Regulation should comply with the relevant procedural requirements set by the Regulation (EC) No 810/2009 of the European Parliament and OJ L, 12.7.
Show original text
The regulation on migration, asylum, and border control must follow the procedural rules set by Regulation (EC) No 810/2009 and Directive 2013/32/EU, along with other relevant EU laws. AI systems used in these areas cannot be employed by Member States or EU institutions to bypass their international obligations under the UN Convention on Refugees from July 28, 1951, and its 1967 Protocol. They must not violate the principle of non-refoulement or restrict safe and legal access to the EU, including the right to seek international protection. Additionally, certain AI systems used in justice and democratic processes are classified as high-risk due to their significant impact on democracy, the rule of law, individual freedoms, and the right to a fair trial. This includes AI systems used by judicial authorities to assist in legal research and decision-making, as well as those used in alternative dispute resolution that have legal consequences for the parties involved.
the area of migration, asylum and border control management covered by this Regulation should comply with the relevant procedural requirements set by the Regulation (EC) No 810/2009 of the European Parliament and OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 17/144 of the Council (32), the Directive 2013/32/EU of the European Parliament and of the Council (33), and other relevant Union law. The use of AI systems in migration, asylum and border control management should, in no circumstances, be used by Member States or Union institutions, bodies, offices or agencies as a means to circumvent their international obligations under the UN Convention relating to the Status of Refugees done at Geneva on 28 July 1951 as amended by the Protocol of 31 January 1967. Nor should they be used to in any way infringe on the principle of non-refoulement, or to deny safe and effective legal avenues into the territory of the Union, including the right to international protection. (61) Certain AI systems intended for the administration of justice and democratic processes should be classified as high-risk, considering their potentially significant impact on democracy, the rule of law, individual freedoms as well as the right to an effective remedy and to a fair trial. In particular, to address the risks of potential biases, errors and opacity, it is appropriate to qualify as high-risk AI systems intended to be used by a judicial authority or on its behalf to assist judicial authorities in researching and interpreting facts and the law and in applying the law to a concrete set of facts. AI systems intended to be used by alternative dispute resolution bodies for those purposes should also be considered to be high-risk when the outcomes of the alternative dispute resolution proceedings produce legal effects for the parties.
Show original text
AI systems used in alternative dispute resolution (ADR) should be considered high-risk if their outcomes have legal consequences for the parties involved. While AI can assist judges in making decisions, it should not replace human judgment; final decisions must always be made by people. However, AI systems used for administrative tasks that do not impact individual cases, like anonymizing judicial documents or facilitating communication among staff, are not classified as high-risk. Additionally, AI systems that aim to influence election outcomes or voter behavior should also be classified as high-risk, except for those that are not directly seen by voters, such as tools for organizing political campaigns. It's important to note that being classified as high-risk under this regulation does not mean that the use of the AI system is legal under other EU or national laws, including those related to personal data protection or tools that assess people's emotional states.
law to a concrete set of facts. AI systems intended to be used by alternative dispute resolution bodies for those purposes should also be considered to be high-risk when the outcomes of the alternative dispute resolution proceedings produce legal effects for the parties. The use of AI tools can support the decision-making power of judges or judicial independence, but should not replace it: the final decision-making must remain a human-driven activity. The classification of AI systems as high-risk should not, however, extend to AI systems intended for purely ancillary administrative activities that do not affect the actual administration of justice in individual cases, such as anonymisation or pseudonymisation of judicial decisions, documents or data, communication between personnel, administrative tasks. (62) Without prejudice to the rules provided for in Regulation (EU) 2024/900 of the European Parliament and of the Council (34), and in order to address the risks of undue external interference with the right to vote enshrined in Article 39 of the Charter, and of adverse effects on democracy and the rule of law, AI systems intended to be used to influence the outcome of an election or referendum or the voting behaviour of natural persons in the exercise of their vote in elections or referenda should be classified as high-risk AI systems with the exception of AI systems whose output natural persons are not directly exposed to, such as tools used to organise, optimise and structure political campaigns from an administrative and logistical point of view. (63) The fact that an AI system is classified as a high-risk AI system under this Regulation should not be interpreted as indicating that the use of the system is lawful under other acts of Union law or under national law compatible with Union law, such as on the protection of personal data, on the use of polygraphs and similar tools or other systems to detect the emotional state of natural persons.
Show original text
The system is legal under various Union laws and national laws that align with Union law, such as those protecting personal data and regulating the use of polygraphs and similar tools to assess people's emotions. Any use of these tools must comply with the Charter and relevant Union and national laws. This Regulation does not provide a legal basis for processing personal data, including sensitive data, unless explicitly stated otherwise in the Regulation. To reduce risks from high-risk AI systems that are marketed or used, certain mandatory requirements must be met. These requirements will consider the intended use and context of the AI system, as well as the risk management system established by the provider. The measures taken by providers to meet these requirements should reflect the current best practices in AI and be effective in achieving the Regulation's goals. According to the New Legislative Framework, as explained in the Commission's 'Blue Guide' on EU product rules from 2022, multiple Union laws may apply to a single product. A product can only be made available or used if it complies with all relevant Union laws. The risks associated with AI systems addressed by this Regulation differ from those covered by existing Union laws, meaning this Regulation will add to the current legal framework.
system is lawful under other acts of Union law or under national law compatible with Union law, such as on the protection of personal data, on the use of polygraphs and similar tools or other systems to detect the emotional state of natural persons. Any such use should continue to occur solely in accordance with the applicable requirements resulting from the Charter and from the applicable acts of secondary Union law and national law. This Regulation should not be understood as providing for the legal ground for processing of personal data, including special categories of personal data, where relevant, unless it is specifically otherwise provided for in this Regulation. (64) To mitigate the risks from high-risk AI systems placed on the market or put into service and to ensure a high level of trustworthiness, certain mandatory requirements should apply to high-risk AI systems, taking into account the intended purpose and the context of use of the AI system and according to the risk-management system to be established by the provider. The measures adopted by the providers to comply with the mandatory requirements of this Regulation should take into account the generally acknowledged state of the art on AI, be proportionate and effective to meet the objectives of this Regulation. Based on the New Legislative Framework, as clarified in Commission notice ‘The “Blue Guide” on the implementation of EU product rules 2022’, the general rule is that more than one legal act of Union harmonisation legislation may be applicable to one product, since the making available or putting into service can take place only when the product complies with all applicable Union harmonisation legislation. The hazards of AI systems covered by the requirements of this Regulation concern different aspects than the existing Union harmonisation legislation and therefore the requirements of this Regulation would complement the existing body of the Union harmonisation legislation.
Show original text
The new Regulation on AI systems addresses risks that are different from those covered by existing Union harmonisation legislation. This means that the Regulation will add to the current laws rather than replace them. For instance, machinery or medical devices that use AI may have risks that the existing health and safety regulations do not cover. Therefore, it is important to apply both the new Regulation and the existing laws together.
Union harmonisation legislation. The hazards of AI systems covered by the requirements of this Regulation concern different aspects than the existing Union harmonisation legislation and therefore the requirements of this Regulation would complement the existing body of the Union harmonisation legislation. For example, machinery or medical devices products incorporating an AI system might present risks not addressed by the essential health and safety EN OJ L, 12.7.2024 18/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (32) Regulation (EC) No 810/2009 of the European Parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) (OJ L 243, 15.9.2009, p. 1). (33) Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (OJ L 180, 29.6.2013, p. 60). (34) Regulation (EU) 2024/900 of the European parliament and of the Council of 13 March 2024 on the transparency and targeting of political advertising (OJ L, 2024/900, 20.3.2024, ELI: http://data.europa.eu/eli/reg/2024/900/oj). requirements set out in the relevant Union harmonised legislation, as that sectoral law does not deal with risks specific to AI systems. This calls for a simultaneous and complementary application of the various legislative acts.
Show original text
The requirements outlined in the relevant European Union laws do not specifically address the risks associated with AI systems. Therefore, it is necessary to apply various laws together. To maintain consistency and reduce unnecessary administrative burdens and costs, providers of products that include high-risk AI systems should have the flexibility to decide how to comply with all applicable laws. This flexibility might allow providers to combine some of the testing and reporting processes required by this Regulation with existing documentation and procedures from other EU laws. However, this does not lessen their obligation to meet all requirements. The risk management system for high-risk AI systems should be a continuous process that is planned and executed throughout the system's entire lifecycle. This process aims to identify and reduce risks related to health, safety, and fundamental rights. The risk management system should be regularly reviewed and updated to ensure it remains effective, and any significant decisions and actions taken under this Regulation should be documented and justified.
/reg/2024/900/oj). requirements set out in the relevant Union harmonised legislation, as that sectoral law does not deal with risks specific to AI systems. This calls for a simultaneous and complementary application of the various legislative acts. To ensure consistency and to avoid an unnecessary administrative burden and unnecessary costs, providers of a product that contains one or more high-risk AI system, to which the requirements of this Regulation and of the Union harmonisation legislation based on the New Legislative Framework and listed in an annex to this Regulation apply, should have flexibility with regard to operational decisions on how to ensure compliance of a product that contains one or more AI systems with all the applicable requirements of that Union harmonised legislation in an optimal manner. That flexibility could mean, for example a decision by the provider to integrate a part of the necessary testing and reporting processes, information and documentation required under this Regulation into already existing documentation and procedures required under existing Union harmonisation legislation based on the New Legislative Framework and listed in an annex to this Regulation. This should not, in any way, undermine the obligation of the provider to comply with all the applicable requirements. (65) The risk-management system should consist of a continuous, iterative process that is planned and run throughout the entire lifecycle of a high-risk AI system. That process should be aimed at identifying and mitigating the relevant risks of AI systems on health, safety and fundamental rights. The risk-management system should be regularly reviewed and updated to ensure its continuing effectiveness, as well as justification and documentation of any significant decisions and actions taken subject to this Regulation.
Show original text
AI systems can pose risks to health, safety, and fundamental rights. Providers must regularly review and update their risk-management systems to ensure they remain effective. They should document significant decisions and actions taken under this regulation. This process helps providers identify risks and implement measures to reduce known and foreseeable risks related to the AI system's intended use and potential misuse, including risks from the AI's interaction with its environment. Providers should choose the best risk-management measures based on the latest advancements in AI technology. When selecting these measures, they should document their decisions and involve experts and stakeholders when relevant. Providers must also consider potential misuses of high-risk AI systems that may not be directly related to their intended purpose but could arise from predictable human behavior. Any known risks associated with the intended use or foreseeable misuse of high-risk AI systems should be included in the user instructions provided by the provider. This ensures that users are aware of these risks when operating the AI system. Identifying and implementing measures to mitigate foreseeable misuse should not require additional training for the AI system. However, providers are encouraged to consider offering extra training to address reasonable foreseeable misuses when necessary.
risks of AI systems on health, safety and fundamental rights. The risk-management system should be regularly reviewed and updated to ensure its continuing effectiveness, as well as justification and documentation of any significant decisions and actions taken subject to this Regulation. This process should ensure that the provider identifies risks or adverse impacts and implements mitigation measures for the known and reasonably foreseeable risks of AI systems to the health, safety and fundamental rights in light of their intended purpose and reasonably foreseeable misuse, including the possible risks arising from the interaction between the AI system and the environment within which it operates. The risk-management system should adopt the most appropriate risk-management measures in light of the state of the art in AI. When identifying the most appropriate risk-management measures, the provider should document and explain the choices made and, when relevant, involve experts and external stakeholders. In identifying the reasonably foreseeable misuse of high-risk AI systems, the provider should cover uses of AI systems which, while not directly covered by the intended purpose and provided for in the instruction for use may nevertheless be reasonably expected to result from readily predictable human behaviour in the context of the specific characteristics and use of a particular AI system. Any known or foreseeable circumstances related to the use of the high-risk AI system in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to risks to the health and safety or fundamental rights should be included in the instructions for use that are provided by the provider. This is to ensure that the deployer is aware and takes them into account when using the high-risk AI system. Identifying and implementing risk mitigation measures for foreseeable misuse under this Regulation should not require specific additional training for the high-risk AI system by the provider to address foreseeable misuse. The providers however are encouraged to consider such additional training measures to mitigate reasonable foreseeable misuses as necessary and appropriate.
Show original text
Providers of high-risk AI systems do not need to provide specific additional training to prevent foreseeable misuse under this Regulation. However, they are encouraged to consider extra training measures to reduce potential misuses when necessary. High-risk AI systems must meet requirements related to risk management, data quality and relevance, technical documentation, record-keeping, transparency, human oversight, and cybersecurity. These requirements are essential to protect health, safety, and fundamental rights, and they do not unjustly restrict trade since no less trade-restrictive options are available. Access to high-quality data is crucial for the effective functioning of AI systems, especially those that rely on model training. This ensures that high-risk AI systems operate safely and do not lead to discrimination, as prohibited by Union law. To create high-quality training, validation, and testing data sets, proper data governance and management practices must be implemented. These data sets should be relevant, representative, and as error-free and complete as possible for their intended use. Additionally, to comply with Union data protection laws, such as Regulation (EU) 2016/679, data governance practices should ensure transparency about the original purpose of data collection, especially for personal data.
for foreseeable misuse under this Regulation should not require specific additional training for the high-risk AI system by the provider to address foreseeable misuse. The providers however are encouraged to consider such additional training measures to mitigate reasonable foreseeable misuses as necessary and appropriate. (66) Requirements should apply to high-risk AI systems as regards risk management, the quality and relevance of data sets used, technical documentation and record-keeping, transparency and the provision of information to deployers, human oversight, and robustness, accuracy and cybersecurity. Those requirements are necessary to effectively mitigate the risks for health, safety and fundamental rights. As no other less trade restrictive measures are reasonably available those requirements are not unjustified restrictions to trade. (67) High-quality data and access to high-quality data plays a vital role in providing structure and in ensuring the performance of many AI systems, especially when techniques involving the training of models are used, with a view to ensure that the high-risk AI system performs as intended and safely and it does not become a source of discrimination prohibited by Union law. High-quality data sets for training, validation and testing require the implementation of appropriate data governance and management practices. Data sets for training, validation and testing, including the labels, should be relevant, sufficiently representative, and to the best extent possible free of errors and complete in view of the intended purpose of the system. In order to facilitate compliance with Union data protection law, such as Regulation (EU) 2016/679, data governance and management practices should include, in the case of personal data, transparency about the original purpose of the data collection.
Show original text
To comply with Union data protection laws, like Regulation (EU) 2016/679, data management practices must ensure transparency about why personal data is collected. Data sets should have the right statistical properties, especially regarding the individuals or groups for whom high-risk AI systems are designed. It's crucial to address potential biases in these data sets, as they can negatively impact people's health and safety, violate fundamental rights, or lead to discrimination, particularly when the data influences future operations (feedback loops). Biases may arise from the data itself, especially if historical data is used, or from how the systems are applied in real-world situations. AI system results can be affected by these biases, which may worsen and perpetuate existing discrimination, especially against vulnerable groups like racial or ethnic minorities. While data sets should be as complete and accurate as possible, this should not hinder the use of privacy-preserving methods during AI development and testing. Additionally, data sets should consider the specific geographical, contextual, behavioral, or functional aspects relevant to the AI system's intended use.
order to facilitate compliance with Union data protection law, such as Regulation (EU) 2016/679, data governance and management practices should include, in the case of personal data, transparency about the original purpose of the data collection. The data sets should also have the appropriate statistical properties, including as regards the persons or groups of persons in relation to whom the high-risk AI system is intended to be used, with specific attention to the mitigation of possible biases in the data sets, that are likely to affect the health and safety of persons, have a negative impact on fundamental rights or lead to discrimination prohibited under Union law, especially where data outputs influence inputs for future operations OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 19/144 (feedback loops). Biases can for example be inherent in underlying data sets, especially when historical data is being used, or generated when the systems are implemented in real world settings. Results provided by AI systems could be influenced by such inherent biases that are inclined to gradually increase and thereby perpetuate and amplify existing discrimination, in particular for persons belonging to certain vulnerable groups, including racial or ethnic groups. The requirement for the data sets to be to the best extent possible complete and free of errors should not affect the use of privacy-preserving techniques in the context of the development and testing of AI systems. In particular, data sets should take into account, to the extent required by their intended purpose, the features, characteristics or elements that are particular to the specific geographical, contextual, behavioural or functional setting which the AI system is intended to be used.
Show original text
Data sets used for AI systems should consider the specific geographical, contextual, behavioral, or functional aspects relevant to their intended use. To meet data governance requirements, organizations can use third-party services that provide certified compliance, ensuring the integrity of data sets and proper practices for data training, validation, and testing in line with regulations. For high-risk AI systems, providers, notified bodies, and other relevant entities, such as European Digital Innovation Hubs and researchers, should have access to high-quality data sets related to their activities. The European Commission's establishment of common data spaces and promotion of data sharing between businesses and government will help ensure trustworthy and fair access to quality data for training, validating, and testing AI systems. For instance, the European health data space will allow equitable access to health data for training AI algorithms while maintaining privacy, security, transparency, and proper governance. Relevant authorities can also assist in providing high-quality data for these purposes. Throughout the entire lifecycle of an AI system, the right to privacy and protection of personal data must be upheld. This includes adhering to principles of data minimization and ensuring data protection by design and by default, as outlined in EU data protection laws when handling personal data.
, data sets should take into account, to the extent required by their intended purpose, the features, characteristics or elements that are particular to the specific geographical, contextual, behavioural or functional setting which the AI system is intended to be used. The requirements related to data governance can be complied with by having recourse to third parties that offer certified compliance services including verification of data governance, data set integrity, and data training, validation and testing practices, as far as compliance with the data requirements of this Regulation are ensured. (68) For the development and assessment of high-risk AI systems, certain actors, such as providers, notified bodies and other relevant entities, such as European Digital Innovation Hubs, testing experimentation facilities and researchers, should be able to access and use high-quality data sets within the fields of activities of those actors which are related to this Regulation. European common data spaces established by the Commission and the facilitation of data sharing between businesses and with government in the public interest will be instrumental to provide trustful, accountable and non-discriminatory access to high-quality data for the training, validation and testing of AI systems. For example, in health, the European health data space will facilitate non-discriminatory access to health data and the training of AI algorithms on those data sets, in a privacy-preserving, secure, timely, transparent and trustworthy manner, and with an appropriate institutional governance. Relevant competent authorities, including sectoral ones, providing or supporting the access to data may also support the provision of high-quality data for the training, validation and testing of AI systems. (69) The right to privacy and to protection of personal data must be guaranteed throughout the entire lifecycle of the AI system. In this regard, the principles of data minimisation and data protection by design and by default, as set out in Union data protection law, are applicable when personal data are processed.
Show original text
The entire lifecycle of an AI system must ensure data protection. This means following the principles of data minimization and data protection by design and by default, as outlined in EU data protection laws when handling personal data. Providers can comply with these principles by using methods like anonymization and encryption, as well as technologies that allow algorithms to access data without transferring or copying the actual data itself, while still adhering to data governance requirements in this Regulation. To prevent discrimination caused by bias in AI systems, providers may need to process special categories of personal data, but only when absolutely necessary for detecting and correcting bias in high-risk AI systems. This must be done with appropriate safeguards for individual rights and in accordance with the conditions set out in this Regulation and other relevant EU regulations. It is crucial to have clear information about how high-risk AI systems are developed and how they operate over time. This transparency is necessary for tracking these systems, ensuring they meet regulatory requirements, and monitoring their performance after they are on the market.
must be guaranteed throughout the entire lifecycle of the AI system. In this regard, the principles of data minimisation and data protection by design and by default, as set out in Union data protection law, are applicable when personal data are processed. Measures taken by providers to ensure compliance with those principles may include not only anonymisation and encryption, but also the use of technology that permits algorithms to be brought to the data and allows training of AI systems without the transmission between parties or copying of the raw or structured data themselves, without prejudice to the requirements on data governance provided for in this Regulation. (70) In order to protect the right of others from the discrimination that might result from the bias in AI systems, the providers should, exceptionally, to the extent that it is strictly necessary for the purpose of ensuring bias detection and correction in relation to the high-risk AI systems, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons and following the application of all applicable conditions laid down under this Regulation in addition to the conditions laid down in Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680, be able to process also special categories of personal data, as a matter of substantial public interest within the meaning of Article 9(2), point (g) of Regulation (EU) 2016/679 and Article 10(2), point (g) of Regulation (EU) 2018/1725. (71) Having comprehensible information on how high-risk AI systems have been developed and how they perform throughout their lifetime is essential to enable traceability of those systems, verify compliance with the requirements under this Regulation, as well as monitoring of their operations and post market monitoring.
Show original text
It is important to understand how high-risk AI systems are developed and how they operate over time. This understanding helps ensure that these systems can be traced, comply with regulations, and are monitored after they are on the market. To achieve this, records and technical documentation must be maintained. This documentation should include essential information to assess whether the AI system meets the required standards and to support ongoing monitoring. Key details should cover the system's general characteristics, capabilities, limitations, algorithms, data, and the processes used for training, testing, and validation. It should also include information about the risk management system, presented clearly and comprehensively. The technical documentation must be kept current throughout the AI system's lifespan. Additionally, high-risk AI systems should be designed to automatically log events during their operation. To address concerns about the complexity and lack of transparency in some AI systems, high-risk AI systems must provide clear information before they are sold or used. They should be designed so that users can understand how they work, assess their functionality, and recognize their strengths and weaknesses. Users should receive clear instructions that outline the system's characteristics, capabilities, and performance limitations.
on how high-risk AI systems have been developed and how they perform throughout their lifetime is essential to enable traceability of those systems, verify compliance with the requirements under this Regulation, as well as monitoring of their operations and post market monitoring. This requires keeping records and the availability of technical documentation, containing information which is necessary to assess the compliance of the AI system with the relevant requirements and facilitate post market monitoring. Such information should include the general characteristics, capabilities and limitations of the system, algorithms, data, training, testing and validation processes used as well as documentation on the relevant risk-management system and drawn in a clear and comprehensive form. The technical documentation should be kept up to date, appropriately throughout the lifetime of the AI system. Furthermore, high-risk AI systems should technically allow for the automatic recording of events, by means of logs, over the duration of the lifetime of the system. EN OJ L, 12.7.2024 20/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (72) To address concerns related to opacity and complexity of certain AI systems and help deployers to fulfil their obligations under this Regulation, transparency should be required for high-risk AI systems before they are placed on the market or put it into service. High-risk AI systems should be designed in a manner to enable deployers to understand how the AI system works, evaluate its functionality, and comprehend its strengths and limitations. High-risk AI systems should be accompanied by appropriate information in the form of instructions of use. Such information should include the characteristics, capabilities and limitations of performance of the AI system.
Show original text
High-risk AI systems must come with clear instructions that explain how to use them, their features, capabilities, and limitations. These instructions should address known and expected situations that could affect the AI system's behavior and performance, including actions by the user that might introduce risks to health, safety, and fundamental rights. They should also outline any changes that have been evaluated for compliance by the provider and detail relevant human oversight measures to help users interpret the AI system's outputs. Transparency in these instructions will help users make informed decisions and choose the right system based on their obligations. Users should be educated about the intended and prohibited uses of the AI system to ensure proper usage. To improve clarity, the instructions should include examples of limitations and appropriate uses. Providers must ensure that all documentation, including usage instructions, is meaningful, comprehensive, accessible, and easy to understand, considering the knowledge level of the intended users. Instructions should be available in a language that is easily understood by the target users, as determined by the relevant Member State.
works, evaluate its functionality, and comprehend its strengths and limitations. High-risk AI systems should be accompanied by appropriate information in the form of instructions of use. Such information should include the characteristics, capabilities and limitations of performance of the AI system. Those would cover information on possible known and foreseeable circumstances related to the use of the high-risk AI system, including deployer action that may influence system behaviour and performance, under which the AI system can lead to risks to health, safety, and fundamental rights, on the changes that have been pre-determined and assessed for conformity by the provider and on the relevant human oversight measures, including the measures to facilitate the interpretation of the outputs of the AI system by the deployers. Transparency, including the accompanying instructions for use, should assist deployers in the use of the system and support informed decision making by them. Deployers should, inter alia, be in a better position to make the correct choice of the system that they intend to use in light of the obligations applicable to them, be educated about the intended and precluded uses, and use the AI system correctly and as appropriate. In order to enhance legibility and accessibility of the information included in the instructions of use, where appropriate, illustrative examples, for instance on the limitations and on the intended and precluded uses of the AI system, should be included. Providers should ensure that all documentation, including the instructions for use, contains meaningful, comprehensive, accessible and understandable information, taking into account the needs and foreseeable knowledge of the target deployers. Instructions for use should be made available in a language which can be easily understood by target deployers, as determined by the Member State concerned.
Show original text
Instructions for using high-risk AI systems should be clear and easy to understand for the intended users, as determined by the relevant Member State. These systems must be designed so that people can monitor their operation, ensure they are used correctly, and manage their effects throughout their lifecycle. Before these systems are sold or put into use, the provider must identify suitable human oversight measures. These measures should ensure that the system has built-in limits that cannot be overridden by the system itself and that it responds to human operators. The individuals responsible for oversight must have the necessary skills, training, and authority. Additionally, high-risk AI systems should include features that help these individuals make informed decisions about when and how to intervene to prevent negative outcomes or to stop the system if it malfunctions. For biometric identification systems, which can have serious consequences if they make mistakes, there should be stricter oversight. No actions or decisions based on the system's identification should be made without verification from at least two people. These individuals can come from different organizations and may include the system's operator. This verification process should not create unnecessary delays, and it can be sufficient for the system to automatically log these verifications.
understandable information, taking into account the needs and foreseeable knowledge of the target deployers. Instructions for use should be made available in a language which can be easily understood by target deployers, as determined by the Member State concerned. (73) High-risk AI systems should be designed and developed in such a way that natural persons can oversee their functioning, ensure that they are used as intended and that their impacts are addressed over the system’s lifecycle. To that end, appropriate human oversight measures should be identified by the provider of the system before its placing on the market or putting into service. In particular, where appropriate, such measures should guarantee that the system is subject to in-built operational constraints that cannot be overridden by the system itself and is responsive to the human operator, and that the natural persons to whom human oversight has been assigned have the necessary competence, training and authority to carry out that role. It is also essential, as appropriate, to ensure that high-risk AI systems include mechanisms to guide and inform a natural person to whom human oversight has been assigned to make informed decisions if, when and how to intervene in order to avoid negative consequences or risks, or stop the system if it does not perform as intended. Considering the significant consequences for persons in the case of an incorrect match by certain biometric identification systems, it is appropriate to provide for an enhanced human oversight requirement for those systems so that no action or decision may be taken by the deployer on the basis of the identification resulting from the system unless this has been separately verified and confirmed by at least two natural persons. Those persons could be from one or more entities and include the person operating or using the system. This requirement should not pose unnecessary burden or delays and it could be sufficient that the separate verifications by the different persons are automatically recorded in the logs generated by the system.
Show original text
One or more entities, including the person using the system, must be involved. This requirement should not create unnecessary delays, and it may be enough for the system to automatically log separate verifications by different users. In areas like law enforcement, migration, border control, and asylum, this requirement may not apply if Union or national law deems it excessive. High-risk AI systems must operate consistently throughout their lifecycle and achieve a suitable level of accuracy, robustness, and cybersecurity based on their intended use and current best practices. The Commission and relevant organizations should focus on reducing risks and negative impacts of AI systems. Performance metrics should be clearly stated in the user instructions, and providers should communicate this information to users in a straightforward manner to avoid confusion or misleading claims. Union law on legal metrology, including Directives 2014/31/EU and 2014/32/EU, aims to ensure measurement accuracy and promote transparency and fairness in commercial transactions. The Commission should work with relevant stakeholders, such as metrology and benchmarking authorities, to develop benchmarks and measurement methods for AI systems. They should also collaborate with international partners on metrology and relevant AI measurement indicators.
one or more entities and include the person operating or using the system. This requirement should not pose unnecessary burden or delays and it could be sufficient that the separate verifications by the different persons are automatically recorded in the logs generated by the system. Given the specificities of the areas of law enforcement, migration, border control and asylum, this requirement should not apply where Union or national law considers the application of that requirement to be disproportionate. (74) High-risk AI systems should perform consistently throughout their lifecycle and meet an appropriate level of accuracy, robustness and cybersecurity, in light of their intended purpose and in accordance with the generally acknowledged state of the art. The Commission and relevant organisations and stakeholders are encouraged to take due consideration of the mitigation of risks and the negative impacts of the AI system. The expected level of performance metrics should be declared in the accompanying instructions of use. Providers are urged to communicate that information to deployers in a clear and easily understandable way, free of misunderstandings or misleading statements. Union law on legal metrology, including Directives 2014/31/EU (35) and 2014/32/EU (36) of the European Parliament and of the Council, aims to ensure the accuracy of measurements and to help the transparency and fairness of commercial transactions. In that context, in cooperation with relevant stakeholders and organisation, such as metrology and benchmarking authorities, the Commission should encourage, as appropriate, the development of benchmarks and measurement methodologies for AI systems. In doing so, the Commission should take note and collaborate with international partners working on metrology and relevant measurement indicators relating to AI. OJ L, 12.7.
Show original text
The Commission is working on creating benchmarks and measurement methods for AI systems. They should collaborate with international partners who are also focused on metrology and relevant AI measurement indicators. The European Parliament and Council's Directive 2014/31/EU, dated February 26, 2014, aims to harmonize laws across Member States regarding the market availability of non-automatic weighing instruments. Similarly, Directive 2014/32/EU, also from February 26, 2014, focuses on harmonizing laws for measuring instruments. For high-risk AI systems, technical robustness is crucial. These systems must be able to withstand harmful or undesirable behaviors that may arise from their limitations or the environments they operate in, such as errors or unexpected situations. To ensure this robustness, both technical and organizational measures should be implemented. This includes designing solutions that can prevent or reduce harmful behaviors, such as mechanisms that allow the system to safely stop functioning when anomalies occur or when it operates outside set limits. Failing to address these risks could lead to safety issues or violations of fundamental rights, such as making incorrect decisions or producing biased outputs.
the development of benchmarks and measurement methodologies for AI systems. In doing so, the Commission should take note and collaborate with international partners working on metrology and relevant measurement indicators relating to AI. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 21/144 (35) Directive 2014/31/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of non-automatic weighing instruments (OJ L 96, 29.3.2014, p. 107). (36) Directive 2014/32/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of measuring instruments (OJ L 96, 29.3.2014, p. 149). (75) Technical robustness is a key requirement for high-risk AI systems. They should be resilient in relation to harmful or otherwise undesirable behaviour that may result from limitations within the systems or the environment in which the systems operate (e.g. errors, faults, inconsistencies, unexpected situations). Therefore, technical and organisational measures should be taken to ensure robustness of high-risk AI systems, for example by designing and developing appropriate technical solutions to prevent or minimise harmful or otherwise undesirable behaviour. Those technical solution may include for instance mechanisms enabling the system to safely interrupt its operation (fail-safe plans) in the presence of certain anomalies or when operation takes place outside certain predetermined boundaries. Failure to protect against these risks could lead to safety impacts or negatively affect the fundamental rights, for example due to erroneous decisions or wrong or biased outputs generated by the AI system.
Show original text
Certain issues can arise when operations occur outside specific limits. If these risks are not managed, it could lead to safety problems or violate fundamental rights, such as making incorrect decisions or producing biased results from the AI system. Cybersecurity is essential for protecting AI systems from malicious attacks that could change how they operate, affect their performance, or compromise their security. Cyberattacks can target specific AI components, like training data (through data poisoning) or trained models (using adversarial attacks or membership inference), or exploit weaknesses in the AI system's digital assets or the underlying information and communication technology (ICT) infrastructure. To ensure adequate cybersecurity for high-risk AI systems, providers must implement appropriate security measures, considering the ICT infrastructure as needed. High-risk AI systems that comply with the European Parliament and Council's regulations on cybersecurity for digital products can meet the cybersecurity requirements of this Regulation by adhering to the essential cybersecurity standards outlined in that regulation. If these high-risk AI systems meet the essential requirements of the cybersecurity regulation, they will be considered compliant with the cybersecurity standards of this Regulation, as long as this compliance is confirmed in the EU declaration of conformity or relevant parts of it issued under that regulation.
certain anomalies or when operation takes place outside certain predetermined boundaries. Failure to protect against these risks could lead to safety impacts or negatively affect the fundamental rights, for example due to erroneous decisions or wrong or biased outputs generated by the AI system. (76) Cybersecurity plays a crucial role in ensuring that AI systems are resilient against attempts to alter their use, behaviour, performance or compromise their security properties by malicious third parties exploiting the system’s vulnerabilities. Cyberattacks against AI systems can leverage AI specific assets, such as training data sets (e.g. data poisoning) or trained models (e.g. adversarial attacks or membership inference), or exploit vulnerabilities in the AI system’s digital assets or the underlying ICT infrastructure. To ensure a level of cybersecurity appropriate to the risks, suitable measures, such as security controls, should therefore be taken by the providers of high-risk AI systems, also taking into account as appropriate the underlying ICT infrastructure. (77) Without prejudice to the requirements related to robustness and accuracy set out in this Regulation, high-risk AI systems which fall within the scope of a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements, in accordance with that regulation may demonstrate compliance with the cybersecurity requirements of this Regulation by fulfilling the essential cybersecurity requirements set out in that regulation. When high-risk AI systems fulfil the essential requirements of a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements, they should be deemed compliant with the cybersecurity requirements set out in this Regulation in so far as the achievement of those requirements is demonstrated in the EU declaration of conformity or parts thereof issued under that regulation.
Show original text
Products with digital elements must meet specific cybersecurity requirements outlined in this Regulation. They can be considered compliant if they demonstrate these requirements in the EU declaration of conformity. For high-risk AI systems, the assessment of cybersecurity risks must include potential threats from unauthorized users trying to change how the system operates, including specific AI vulnerabilities like data poisoning and adversarial attacks. It should also consider risks to fundamental rights as required by this Regulation. The conformity assessment process in this Regulation applies to the essential cybersecurity requirements for high-risk AI systems as defined by the European Parliament and Council's regulations on cybersecurity for digital products. However, this should not lower the necessary security standards for critical digital products. Therefore, high-risk AI systems that are also classified as important or critical products must follow the conformity assessment rules set out in the relevant cybersecurity regulations, ensuring they meet essential cybersecurity requirements.
cybersecurity requirements for products with digital elements, they should be deemed compliant with the cybersecurity requirements set out in this Regulation in so far as the achievement of those requirements is demonstrated in the EU declaration of conformity or parts thereof issued under that regulation. To that end, the assessment of the cybersecurity risks, associated to a product with digital elements classified as high-risk AI system according to this Regulation, carried out under a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements, should consider risks to the cyber resilience of an AI system as regards attempts by unauthorised third parties to alter its use, behaviour or performance, including AI specific vulnerabilities such as data poisoning or adversarial attacks, as well as, as relevant, risks to fundamental rights as required by this Regulation. (78) The conformity assessment procedure provided by this Regulation should apply in relation to the essential cybersecurity requirements of a product with digital elements covered by a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and classified as a high-risk AI system under this Regulation. However, this rule should not result in reducing the necessary level of assurance for critical products with digital elements covered by a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements. Therefore, by way of derogation from this rule, high-risk AI systems that fall within the scope of this Regulation and are also qualified as important and critical products with digital elements pursuant to a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and to which the conformity assessment procedure based on internal control set out in an annex to this Regulation applies, are subject to the conformity assessment provisions of a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements insofar as the essential cybersecurity requirements of
Show original text
The annex to this Regulation outlines that certain products must meet the cybersecurity requirements set by a European Parliament and Council regulation for digital products. For other aspects of this Regulation, the conformity assessment provisions based on internal control in the annex will apply. The Commission will work with ENISA, the European Union Agency for Cybersecurity, on cybersecurity issues related to AI systems, utilizing ENISA's expertise as outlined in Regulation (EU) 2019/881. Additionally, a specific individual or organization, referred to as the provider, must be responsible for the market introduction or operation of a high-risk AI system, regardless of whether they designed or developed it.
out in an annex to this Regulation applies, are subject to the conformity assessment provisions of a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements insofar as the essential cybersecurity requirements of that regulation are concerned. In this case, for all the other aspects covered by this Regulation the respective provisions on conformity assessment based on internal control set out in an annex to this Regulation should apply. Building on the knowledge and expertise of ENISA on the cybersecurity policy and tasks assigned to ENISA under the Regulation (EU) 2019/881 of the European Parliament and of the Council (37), the Commission should cooperate with ENISA on issues related to cybersecurity of AI systems. EN OJ L, 12.7.2024 22/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (37) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15). (79) It is appropriate that a specific natural or legal person, defined as the provider, takes responsibility for the placing on the market or the putting into service of a high-risk AI system, regardless of whether that natural or legal person is the person who designed or developed the system.
Show original text
A provider, whether an individual or a company, is responsible for bringing a high-risk AI system to market, even if they did not design or develop it. The European Union and its member countries are committed to protecting the rights of people with disabilities, ensuring they are not discriminated against and have equal access to information and communication technologies. As AI systems become more prevalent, it is important to apply universal design principles to ensure that everyone, including people with disabilities, can access and use these technologies while respecting their dignity and diversity. Providers must comply with accessibility standards, including EU Directives 2016/2102 and 2019/882, and should integrate these requirements into the design of high-risk AI systems from the start. Additionally, providers need to implement a strong quality management system, follow the necessary conformity assessment procedures, maintain proper documentation, and set up an effective post-market monitoring system. Providers of high-risk AI systems that already have quality management obligations under other EU laws can incorporate the requirements from this regulation into their existing systems.
natural or legal person, defined as the provider, takes responsibility for the placing on the market or the putting into service of a high-risk AI system, regardless of whether that natural or legal person is the person who designed or developed the system. (80) As signatories to the United Nations Convention on the Rights of Persons with Disabilities, the Union and the Member States are legally obliged to protect persons with disabilities from discrimination and promote their equality, to ensure that persons with disabilities have access, on an equal basis with others, to information and communications technologies and systems, and to ensure respect for privacy for persons with disabilities. Given the growing importance and use of AI systems, the application of universal design principles to all new technologies and services should ensure full and equal access for everyone potentially affected by or using AI technologies, including persons with disabilities, in a way that takes full account of their inherent dignity and diversity. It is therefore essential that providers ensure full compliance with accessibility requirements, including Directive (EU) 2016/2102 of the European Parliament and of the Council (38) and Directive (EU) 2019/882. Providers should ensure compliance with these requirements by design. Therefore, the necessary measures should be integrated as much as possible into the design of the high-risk AI system. (81) The provider should establish a sound quality management system, ensure the accomplishment of the required conformity assessment procedure, draw up the relevant documentation and establish a robust post-market monitoring system. Providers of high-risk AI systems that are subject to obligations regarding quality management systems under relevant sectoral Union law should have the possibility to include the elements of the quality management system provided for in this Regulation as part of the existing quality management system provided for in that other sectoral Union law.
Show original text
Organizations that manage quality systems under relevant EU laws can incorporate elements from this Regulation into their existing quality management systems. Future standardization efforts by the Commission should consider how this Regulation complements existing laws. Public authorities using high-risk AI systems can adopt quality management rules at the national or regional level, tailored to their specific sector and organizational structure. To enforce this Regulation and ensure fair competition, it is crucial that any entity operating in the EU can provide authorities with necessary compliance information about their AI systems. Therefore, companies based outside the EU must appoint an authorized representative within the EU before offering their AI systems. This representative is responsible for ensuring compliance for high-risk AI systems and acts as the contact point in the EU. Given the complexity of AI systems and in accordance with the New Legislative Framework, it is important to clarify the roles and responsibilities of all parties involved in the AI value chain, including importers and distributors, to ensure legal clarity and compliance with this Regulation.
obligations regarding quality management systems under relevant sectoral Union law should have the possibility to include the elements of the quality management system provided for in this Regulation as part of the existing quality management system provided for in that other sectoral Union law. The complementarity between this Regulation and existing sectoral Union law should also be taken into account in future standardisation activities or guidance adopted by the Commission. Public authorities which put into service high-risk AI systems for their own use may adopt and implement the rules for the quality management system as part of the quality management system adopted at a national or regional level, as appropriate, taking into account the specificities of the sector and the competences and organisation of the public authority concerned. (82) To enable enforcement of this Regulation and create a level playing field for operators, and, taking into account the different forms of making available of digital products, it is important to ensure that, under all circumstances, a person established in the Union can provide authorities with all the necessary information on the compliance of an AI system. Therefore, prior to making their AI systems available in the Union, providers established in third countries should, by written mandate, appoint an authorised representative established in the Union. This authorised representative plays a pivotal role in ensuring the compliance of the high-risk AI systems placed on the market or put into service in the Union by those providers who are not established in the Union and in serving as their contact person established in the Union. (83) In light of the nature and complexity of the value chain for AI systems and in line with the New Legislative Framework, it is essential to ensure legal certainty and facilitate the compliance with this Regulation. Therefore, it is necessary to clarify the role and the specific obligations of relevant operators along that value chain, such as importers and distributors who may contribute to the development of AI systems.
Show original text
To ensure legal clarity and compliance with this Regulation, it is important to define the roles and responsibilities of key players in the value chain, such as importers and distributors involved in developing AI systems. These operators may take on multiple roles simultaneously and must meet all related obligations for each role. For instance, an operator could be both a distributor and an importer at the same time. To provide legal certainty, it should be clear that under specific conditions, any distributor, importer, deployer, or third party can be considered a provider of a high-risk AI system and must fulfill all relevant obligations. This applies if they put their name or trademark on a high-risk AI system already on the market, regardless of any contractual agreements that might assign responsibilities differently. It also applies if they make significant changes to a high-risk AI system already available, or if they alter the intended use of a non-high-risk AI system in a way that qualifies it as high-risk under this Regulation. These rules should be followed alongside any specific regulations set out in certain EU harmonization laws based on the New Legislative Framework.
ensure legal certainty and facilitate the compliance with this Regulation. Therefore, it is necessary to clarify the role and the specific obligations of relevant operators along that value chain, such as importers and distributors who may contribute to the development of AI systems. In certain situations those operators could act in more than one role at the same time and should therefore fulfil cumulatively all relevant obligations associated with those roles. For example, an operator could act as a distributor and an importer at the same time. (84) To ensure legal certainty, it is necessary to clarify that, under certain specific conditions, any distributor, importer, deployer or other third-party should be considered to be a provider of a high-risk AI system and therefore assume all the relevant obligations. This would be the case if that party puts its name or trademark on a high-risk AI system already placed on the market or put into service, without prejudice to contractual arrangements stipulating that the obligations are allocated otherwise. This would also be the case if that party makes a substantial modification to a high-risk AI system that has already been placed on the market or has already been put into service in a way that it remains a high-risk AI system in accordance with this Regulation, or if it modifies the intended purpose of an AI system, including a general-purpose AI system, which has not been classified as high-risk and has already been placed on the market or put into service, in a way that the AI system becomes a high-risk AI system in accordance with this Regulation. Those provisions should apply without prejudice to more specific provisions established in certain Union harmonisation legislation based on the New Legislative Framework, together with which this OJ L, 12.7.
Show original text
This regulation outlines the requirements for high-risk AI systems. These rules apply alongside specific provisions from other EU legislation based on the New Legislative Framework. For instance, Article 16(2) of Regulation (EU) 2017/745 states that certain changes to medical devices should not be seen as modifications that affect compliance. This continues to apply to high-risk AI systems that are classified as medical devices. Additionally, general-purpose AI systems can be classified as high-risk either on their own or as parts of other high-risk systems. To ensure fair responsibility across the AI value chain, providers of these general-purpose AI systems must work closely with the providers of high-risk AI systems to meet compliance obligations and cooperate with the relevant authorities.
-risk AI system in accordance with this Regulation. Those provisions should apply without prejudice to more specific provisions established in certain Union harmonisation legislation based on the New Legislative Framework, together with which this OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 23/144 (38) Directive (EU) 2016/2102 of the European Parliament and of the Council of 26 October 2016 on the accessibility of the websites and mobile applications of public sector bodies (OJ L 327, 2.12.2016, p. 1). Regulation should apply. For example, Article 16(2) of Regulation (EU) 2017/745, establishing that certain changes should not be considered to be modifications of a device that could affect its compliance with the applicable requirements, should continue to apply to high-risk AI systems that are medical devices within the meaning of that Regulation. (85) General-purpose AI systems may be used as high-risk AI systems by themselves or be components of other high-risk AI systems. Therefore, due to their particular nature and in order to ensure a fair sharing of responsibilities along the AI value chain, the providers of such systems should, irrespective of whether they may be used as high-risk AI systems as such by other providers or as components of high-risk AI systems and unless provided otherwise under this Regulation, closely cooperate with the providers of the relevant high-risk AI systems to enable their compliance with the relevant obligations under this Regulation and with the competent authorities established under this Regulation.
Show original text
High-risk AI systems must work closely with their providers to ensure they meet the requirements of this Regulation and cooperate with the relevant authorities. If the original provider of an AI system is no longer considered the provider under this Regulation, and they have not explicitly stated that the AI system has changed to a high-risk category, the former provider must still cooperate. They need to share necessary information and provide technical support to help meet the obligations of this Regulation, especially regarding compliance assessments for high-risk AI systems. Additionally, if a high-risk AI system is part of a product covered by Union harmonization laws, the product manufacturer must ensure that the AI system within the product complies with this Regulation. Throughout the AI value chain, various parties contribute AI systems, tools, services, and components for different purposes, such as model training, testing, and integration into software.
of high-risk AI systems and unless provided otherwise under this Regulation, closely cooperate with the providers of the relevant high-risk AI systems to enable their compliance with the relevant obligations under this Regulation and with the competent authorities established under this Regulation. (86) Where, under the conditions laid down in this Regulation, the provider that initially placed the AI system on the market or put it into service should no longer be considered to be the provider for the purposes of this Regulation, and when that provider has not expressly excluded the change of the AI system into a high-risk AI system, the former provider should nonetheless closely cooperate and make available the necessary information and provide the reasonably expected technical access and other assistance that are required for the fulfilment of the obligations set out in this Regulation, in particular regarding the compliance with the conformity assessment of high-risk AI systems. (87) In addition, where a high-risk AI system that is a safety component of a product which falls within the scope of Union harmonisation legislation based on the New Legislative Framework is not placed on the market or put into service independently from the product, the product manufacturer defined in that legislation should comply with the obligations of the provider established in this Regulation and should, in particular, ensure that the AI system embedded in the final product complies with the requirements of this Regulation. (88) Along the AI value chain multiple parties often supply AI systems, tools and services but also components or processes that are incorporated by the provider into the AI system with various objectives, including the model training, model retraining, model testing and evaluation, integration into software, or other aspects of model development.
Show original text
Providers of high-risk AI systems rely on various components and processes from third parties for tasks like model training, testing, and integration into software. These third parties play a crucial role in the AI value chain and must provide the necessary information and support to the provider through a written agreement. This support should help the provider meet regulatory obligations while protecting the third parties' intellectual property rights. Third parties that offer tools, services, or AI components under a free and open-source license are not required to follow the same regulations as those that apply to the AI value chain, especially towards the providers using their offerings. However, developers of these free and open-source resources are encouraged to adopt standard documentation practices, like model cards and data sheets, to enhance information sharing and promote trustworthy AI systems in the EU. The Commission may create and suggest voluntary contract terms for cooperation between providers of high-risk AI systems and third parties supplying necessary tools and services. These terms should consider specific sector requirements and business cases.
and services but also components or processes that are incorporated by the provider into the AI system with various objectives, including the model training, model retraining, model testing and evaluation, integration into software, or other aspects of model development. Those parties have an important role to play in the value chain towards the provider of the high-risk AI system into which their AI systems, tools, services, components or processes are integrated, and should provide by written agreement this provider with the necessary information, capabilities, technical access and other assistance based on the generally acknowledged state of the art, in order to enable the provider to fully comply with the obligations set out in this Regulation, without compromising their own intellectual property rights or trade secrets. (89) Third parties making accessible to the public tools, services, processes, or AI components other than general-purpose AI models, should not be mandated to comply with requirements targeting the responsibilities along the AI value chain, in particular towards the provider that has used or integrated them, when those tools, services, processes, or AI components are made accessible under a free and open-source licence. Developers of free and open-source tools, services, processes, or AI components other than general-purpose AI models should be encouraged to implement widely adopted documentation practices, such as model cards and data sheets, as a way to accelerate information sharing along the AI value chain, allowing the promotion of trustworthy AI systems in the Union. (90) The Commission could develop and recommend voluntary model contractual terms between providers of high-risk AI systems and third parties that supply tools, services, components or processes that are used or integrated in high-risk AI systems, to facilitate the cooperation along the value chain. When developing voluntary model contractual terms, the Commission should also take into account possible contractual requirements applicable in specific sectors or business cases.
Show original text
High-risk AI systems require specific processes to ensure cooperation throughout the value chain. When creating voluntary model contracts, the Commission should consider any contractual requirements that may apply to specific sectors or business cases. Due to the potential risks to safety and fundamental rights associated with AI systems, it is important to establish clear responsibilities for those deploying these systems. Deployers must take appropriate technical and organizational measures to ensure that high-risk AI systems are used according to the provided instructions. They also have obligations regarding monitoring the AI systems' performance and maintaining proper records. Additionally, deployers must ensure that the individuals responsible for following the instructions and overseeing the AI systems have the necessary skills, training, and authority to perform their tasks effectively. These obligations do not replace other legal responsibilities that deployers may have under Union or national law regarding high-risk AI systems. This Regulation does not affect employers' obligations to inform or consult workers or their representatives under Union or national law, including Directive 2002/14/EC. It is essential to keep workers and their representatives informed about the planned use of high-risk AI systems in the workplace, especially when other legal requirements for information and consultation are not met.
processes that are used or integrated in high-risk AI systems, to facilitate the cooperation along the value chain. When developing voluntary model contractual terms, the Commission should also take into account possible contractual requirements applicable in specific sectors or business cases. (91) Given the nature of AI systems and the risks to safety and fundamental rights possibly associated with their use, including as regards the need to ensure proper monitoring of the performance of an AI system in a real-life setting, it is appropriate to set specific responsibilities for deployers. Deployers should in particular take appropriate technical and organisational measures to ensure they use high-risk AI systems in accordance with the instructions of use and certain other obligations should be provided for with regard to monitoring of the functioning of the AI systems and with regard to record-keeping, as appropriate. Furthermore, deployers should ensure that the persons assigned to implement the instructions for use and human oversight as set out in this Regulation have the necessary EN OJ L, 12.7.2024 24/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj competence, in particular an adequate level of AI literacy, training and authority to properly fulfil those tasks. Those obligations should be without prejudice to other deployer obligations in relation to high-risk AI systems under Union or national law. (92) This Regulation is without prejudice to obligations for employers to inform or to inform and consult workers or their representatives under Union or national law and practice, including Directive 2002/14/EC of the European Parliament and of the Council (39), on decisions to put into service or use AI systems. It remains necessary to ensure information of workers and their representatives on the planned deployment of high-risk AI systems at the workplace where the conditions for those information or information and consultation obligations in other legal instruments are not fulfilled.
Show original text
It is important to keep workers and their representatives informed about the planned use of high-risk AI systems in the workplace, especially when existing legal requirements for information and consultation are not met. This right to information is essential for protecting fundamental rights, which is the main goal of this Regulation. Therefore, this Regulation will include a requirement for providing such information, without affecting any current rights of workers. High-risk AI systems can pose risks not only based on their design but also on how they are used. Those who deploy these systems play a crucial role in safeguarding fundamental rights, in addition to the responsibilities of the AI system providers. Deployers have a better understanding of how the AI system will be used and can identify significant risks that may not have been anticipated during development, especially concerning the context of use and the individuals or groups affected, including vulnerable populations. Deployers of high-risk AI systems, as listed in an annex to this Regulation, must also inform individuals when decisions are made about them or with their assistance. This information should include the purpose of the AI system and the types of decisions it makes. Additionally, deployers must inform individuals of their right to an explanation as outlined in this Regulation. For high-risk AI systems used in law enforcement, this obligation must be followed according to Article 13 of Directive (EU) 2016/680.
AI systems. It remains necessary to ensure information of workers and their representatives on the planned deployment of high-risk AI systems at the workplace where the conditions for those information or information and consultation obligations in other legal instruments are not fulfilled. Moreover, such information right is ancillary and necessary to the objective of protecting fundamental rights that underlies this Regulation. Therefore, an information requirement to that effect should be laid down in this Regulation, without affecting any existing rights of workers. (93) Whilst risks related to AI systems can result from the way such systems are designed, risks can as well stem from how such AI systems are used. Deployers of high-risk AI system therefore play a critical role in ensuring that fundamental rights are protected, complementing the obligations of the provider when developing the AI system. Deployers are best placed to understand how the high-risk AI system will be used concretely and can therefore identify potential significant risks that were not foreseen in the development phase, due to a more precise knowledge of the context of use, the persons or groups of persons likely to be affected, including vulnerable groups. Deployers of high-risk AI systems listed in an annex to this Regulation also play a critical role in informing natural persons and should, when they make decisions or assist in making decisions related to natural persons, where applicable, inform the natural persons that they are subject to the use of the high-risk AI system. This information should include the intended purpose and the type of decisions it makes. The deployer should also inform the natural persons about their right to an explanation provided under this Regulation. With regard to high-risk AI systems used for law enforcement purposes, that obligation should be implemented in accordance with Article 13 of Directive (EU) 2016/680.
Show original text
Individuals have the right to receive an explanation under this Regulation. For high-risk AI systems used in law enforcement, this obligation must follow Article 13 of Directive (EU) 2016/680. Any use of biometric data for AI-based identification in law enforcement must comply with Article 10 of Directive (EU) 2016/680. This means such processing is only allowed when absolutely necessary, with proper safeguards for the rights of individuals, and must be authorized by EU or Member State law. When authorized, it must also adhere to principles in Article 4(1) of Directive (EU) 2016/680, which include legality, fairness, transparency, purpose limitation, accuracy, and storage limitation. Additionally, while respecting applicable EU laws, particularly Regulation (EU) 2016/679 and Directive (EU) 2016/680, the use of post-remote biometric identification systems, which can be intrusive, must have safeguards in place. These systems should be used in a way that is proportionate, legitimate, and strictly necessary, targeting specific individuals, locations, and timeframes, and based on a closed set of legally obtained video footage. They should not be used for indiscriminate surveillance in law enforcement. The conditions for using post-remote biometric identification must not allow for bypassing the strict rules against real-time remote biometric identification.
persons about their right to an explanation provided under this Regulation. With regard to high-risk AI systems used for law enforcement purposes, that obligation should be implemented in accordance with Article 13 of Directive (EU) 2016/680. (94) Any processing of biometric data involved in the use of AI systems for biometric identification for the purpose of law enforcement needs to comply with Article 10 of Directive (EU) 2016/680, that allows such processing only where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject, and where authorised by Union or Member State law. Such use, when authorised, also needs to respect the principles laid down in Article 4 (1) of Directive (EU) 2016/680 including lawfulness, fairness and transparency, purpose limitation, accuracy and storage limitation. (95) Without prejudice to applicable Union law, in particular Regulation (EU) 2016/679 and Directive (EU) 2016/680, considering the intrusive nature of post-remote biometric identification systems, the use of post-remote biometric identification systems should be subject to safeguards. Post-remote biometric identification systems should always be used in a way that is proportionate, legitimate and strictly necessary, and thus targeted, in terms of the individuals to be identified, the location, temporal scope and based on a closed data set of legally acquired video footage. In any case, post-remote biometric identification systems should not be used in the framework of law enforcement to lead to indiscriminate surveillance. The conditions for post-remote biometric identification should in any case not provide a basis to circumvent the conditions of the prohibition and strict exceptions for real time remote biometric identification.
Show original text
The law enforcement framework should not allow for widespread surveillance. The rules for using remote biometric identification after the fact should not bypass the strict rules against real-time remote biometric identification. To protect fundamental rights, organizations that deploy high-risk AI systems, including public bodies and private companies that provide public services (like banks and insurance companies), must conduct a fundamental rights impact assessment before using these systems. This assessment aims to identify potential risks to individuals' rights and outline measures to address those risks. It should be done before the AI system is deployed and updated if any relevant circumstances change.
framework of law enforcement to lead to indiscriminate surveillance. The conditions for post-remote biometric identification should in any case not provide a basis to circumvent the conditions of the prohibition and strict exceptions for real time remote biometric identification. (96) In order to efficiently ensure that fundamental rights are protected, deployers of high-risk AI systems that are bodies governed by public law, or private entities providing public services and deployers of certain high-risk AI systems listed in an annex to this Regulation, such as banking or insurance entities, should carry out a fundamental rights impact assessment prior to putting it into use. Services important for individuals that are of public nature may also be provided by private entities. Private entities providing such public services are linked to tasks in the public interest such as in the areas of education, healthcare, social services, housing, administration of justice. The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals likely to be affected, identify measures to be taken in the case of a materialisation of those risks. The impact assessment should be performed prior to deploying the high-risk AI system, and should be updated OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 25/144 (39) Directive 2002/14/EC of the European Parliament and of the Council of 11 March 2002 establishing a general framework for informing and consulting employees in the European Community (OJ L 80, 23.3.2002, p. 29). when the deployer considers that any of the relevant factors have changed.
Show original text
The document establishes a framework for informing and consulting employees in the European Community (OJ L 80, 23.3.2002, p. 29). When the deployer of a high-risk AI system believes that relevant factors have changed, they must conduct an impact assessment. This assessment should identify how the AI system will be used, including the duration and frequency of its use, as well as the specific individuals or groups that may be affected. It should also identify potential risks that could harm the fundamental rights of these individuals or groups. The deployer must consider all relevant information, including guidance from the AI system's provider. Based on the identified risks, the deployer should establish measures to address these risks, such as governance arrangements for human oversight, complaint handling, and redress procedures. After completing the impact assessment, the deployer must notify the relevant market surveillance authority. If necessary, especially in public sector applications, deployers should involve stakeholders, including representatives of affected groups, independent experts, and civil society organizations, in the assessment process and in designing risk mitigation measures.
2 establishing a general framework for informing and consulting employees in the European Community (OJ L 80, 23.3.2002, p. 29). when the deployer considers that any of the relevant factors have changed. The impact assessment should identify the deployer’s relevant processes in which the high-risk AI system will be used in line with its intended purpose, and should include a description of the period of time and frequency in which the system is intended to be used as well as of specific categories of natural persons and groups who are likely to be affected in the specific context of use. The assessment should also include the identification of specific risks of harm likely to have an impact on the fundamental rights of those persons or groups. While performing this assessment, the deployer should take into account information relevant to a proper assessment of the impact, including but not limited to the information given by the provider of the high-risk AI system in the instructions for use. In light of the risks identified, deployers should determine measures to be taken in the case of a materialisation of those risks, including for example governance arrangements in that specific context of use, such as arrangements for human oversight according to the instructions of use or, complaint handling and redress procedures, as they could be instrumental in mitigating risks to fundamental rights in concrete use-cases. After performing that impact assessment, the deployer should notify the relevant market surveillance authority. Where appropriate, to collect relevant information necessary to perform the impact assessment, deployers of high-risk AI system, in particular when AI systems are used in the public sector, could involve relevant stakeholders, including the representatives of groups of persons likely to be affected by the AI system, independent experts, and civil society organisations in conducting such impact assessments and designing measures to be taken in the case of materialisation of the risks.
Show original text
Relevant stakeholders, including representatives from groups likely to be affected by AI systems, independent experts, and civil society organizations, should be involved in impact assessments and in designing measures to address potential risks. The European Artificial Intelligence Office (AI Office) will create a questionnaire template to help ensure compliance and reduce the administrative burden for those deploying AI. The term 'general-purpose AI models' needs a clear definition, distinct from 'AI systems,' to provide legal clarity. This definition should focus on the main features of general-purpose AI models, particularly their ability to perform a wide variety of tasks. These models are usually trained on large datasets using methods like self-supervised, unsupervised, or reinforcement learning. They can be made available in different ways, such as through libraries, APIs, direct downloads, or physical copies, and can be modified into new models. While AI models are crucial for AI systems, they are not complete systems by themselves. They need additional components, like a user interface, to function as AI systems. This regulation outlines specific rules for general-purpose AI models, especially those that pose systemic risks, which also apply when these models are part of an AI system. Providers of general-purpose AI models must comply with these obligations once the models are available on the market.
relevant stakeholders, including the representatives of groups of persons likely to be affected by the AI system, independent experts, and civil society organisations in conducting such impact assessments and designing measures to be taken in the case of materialisation of the risks. The European Artificial Intelligence Office (AI Office) should develop a template for a questionnaire in order to facilitate compliance and reduce the administrative burden for deployers. (97) The notion of general-purpose AI models should be clearly defined and set apart from the notion of AI systems to enable legal certainty. The definition should be based on the key functional characteristics of a general-purpose AI model, in particular the generality and the capability to competently perform a wide range of distinct tasks. These models are typically trained on large amounts of data, through various methods, such as self-supervised, unsupervised or reinforcement learning. General-purpose AI models may be placed on the market in various ways, including through libraries, application programming interfaces (APIs), as direct download, or as physical copy. These models may be further modified or fine-tuned into new models. Although AI models are essential components of AI systems, they do not constitute AI systems on their own. AI models require the addition of further components, such as for example a user interface, to become AI systems. AI models are typically integrated into and form part of AI systems. This Regulation provides specific rules for general-purpose AI models and for general-purpose AI models that pose systemic risks, which should apply also when these models are integrated or form part of an AI system. It should be understood that the obligations for the providers of general-purpose AI models should apply once the general-purpose AI models are placed on the market.
Show original text
The risks associated with AI models should also apply when these models are part of an AI system. Providers of general-purpose AI models must meet their obligations once these models are available on the market. If a provider integrates their own model into an AI system that is sold or used, that model is considered to be on the market, and the obligations for models will still apply alongside those for AI systems. However, these obligations do not apply if the model is used only for internal processes that do not affect third-party products or services and do not impact individual rights. Due to their potential for significant negative effects, general-purpose AI models that pose systemic risks must always comply with the relevant regulations. Additionally, models used solely for research, development, and prototyping before being marketed are not covered by these obligations, but they must comply with regulations once they are placed on the market. Models with at least one billion parameters, trained on large datasets using self-supervision, are considered to have significant generality and can perform a wide range of tasks. Large generative AI models are a prime example of general-purpose AI models, as they can flexibly generate various types of content, including text, audio, images, and video, suitable for many different tasks.
risks, which should apply also when these models are integrated or form part of an AI system. It should be understood that the obligations for the providers of general-purpose AI models should apply once the general-purpose AI models are placed on the market. When the provider of a general-purpose AI model integrates an own model into its own AI system that is made available on the market or put into service, that model should be considered to be placed on the market and, therefore, the obligations in this Regulation for models should continue to apply in addition to those for AI systems. The obligations laid down for models should in any case not apply when an own model is used for purely internal processes that are not essential for providing a product or a service to third parties and the rights of natural persons are not affected. Considering their potential significantly negative effects, the general-purpose AI models with systemic risk should always be subject to the relevant obligations under this Regulation. The definition should not cover AI models used before their placing on the market for the sole purpose of research, development and prototyping activities. This is without prejudice to the obligation to comply with this Regulation when, following such activities, a model is placed on the market. (98) Whereas the generality of a model could, inter alia, also be determined by a number of parameters, models with at least a billion of parameters and trained with a large amount of data using self-supervision at scale should be considered to display significant generality and to competently perform a wide range of distinctive tasks. (99) Large generative AI models are a typical example for a general-purpose AI model, given that they allow for flexible generation of content, such as in the form of text, audio, images or video, that can readily accommodate a wide range of distinctive tasks.
Show original text
AI models are a common example of general-purpose AI because they can create various types of content, including text, audio, images, and video, for many different tasks. When a general-purpose AI model is part of an AI system, that system is considered a general-purpose AI system if it can serve multiple functions. Such a system can be used on its own or integrated into other AI systems. Providers of general-purpose AI models have important responsibilities in the AI value chain. Their models often serve as the foundation for various downstream systems created by other providers. These downstream providers need to understand the models and their capabilities to integrate them into their products and comply with regulations. Therefore, there should be clear transparency measures, including maintaining up-to-date documentation and providing information about the general-purpose AI model for downstream providers. The model provider must prepare and keep technical documentation current, which should be available to the AI Office and national authorities upon request. Specific elements that must be included in this documentation will be outlined in annexes to this Regulation, and the Commission can update these annexes as technology evolves.
AI models are a typical example for a general-purpose AI model, given that they allow for flexible generation of content, such as in the form of text, audio, images or video, that can readily accommodate a wide range of distinctive tasks. (100) When a general-purpose AI model is integrated into or forms part of an AI system, this system should be considered to be general-purpose AI system when, due to this integration, this system has the capability to serve a variety of purposes. A general-purpose AI system can be used directly, or it may be integrated into other AI systems. EN OJ L, 12.7.2024 26/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (101) Providers of general-purpose AI models have a particular role and responsibility along the AI value chain, as the models they provide may form the basis for a range of downstream systems, often provided by downstream providers that necessitate a good understanding of the models and their capabilities, both to enable the integration of such models into their products, and to fulfil their obligations under this or other regulations. Therefore, proportionate transparency measures should be laid down, including the drawing up and keeping up to date of documentation, and the provision of information on the general-purpose AI model for its usage by the downstream providers. Technical documentation should be prepared and kept up to date by the general-purpose AI model provider for the purpose of making it available, upon request, to the AI Office and the national competent authorities. The minimal set of elements to be included in such documentation should be set out in specific annexes to this Regulation. The Commission should be empowered to amend those annexes by means of delegated acts in light of evolving technological developments.
Show original text
Authorities need to outline the essential elements for documentation in specific annexes to this Regulation. The Commission can update these annexes through delegated acts as technology evolves. Software and data, including models, that are released under a free and open-source license allow users to share, access, modify, and redistribute them freely. This can boost research and innovation and create significant growth opportunities for the Union economy. General-purpose AI models under such licenses should ensure transparency by making their parameters, model architecture, and usage information publicly available. A license is considered free and open-source if it permits users to run, copy, distribute, study, change, and improve the software and data, as long as the original provider is credited and distribution terms are respected. Free and open-source AI components include software, data, models, tools, services, or processes of an AI system. These components can be shared through various channels, including open repositories. However, AI components that are sold or monetized in any way, such as through technical support or services, or that use personal data for purposes other than improving software security, compatibility, or interoperability (except for transactions between microenterprises), do not qualify for the exceptions granted to free and open-source AI components.
authorities. The minimal set of elements to be included in such documentation should be set out in specific annexes to this Regulation. The Commission should be empowered to amend those annexes by means of delegated acts in light of evolving technological developments. (102) Software and data, including models, released under a free and open-source licence that allows them to be openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market and can provide significant growth opportunities for the Union economy. General-purpose AI models released under free and open-source licences should be considered to ensure high levels of transparency and openness if their parameters, including the weights, the information on the model architecture, and the information on model usage are made publicly available. The licence should be considered to be free and open-source also when it allows users to run, copy, distribute, study, change and improve software and data, including models under the condition that the original provider of the model is credited, the identical or comparable terms of distribution are respected. (103) Free and open-source AI components covers the software and data, including models and general-purpose AI models, tools, services or processes of an AI system. Free and open-source AI components can be provided through different channels, including their development on open repositories. For the purposes of this Regulation, AI components that are provided against a price or otherwise monetised, including through the provision of technical support or other services, including through a software platform, related to the AI component, or the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software, with the exception of transactions between microenterprises, should not benefit from the exceptions provided to free and open-source AI components.
Show original text
Personal data should not be used for purposes other than improving software security, compatibility, or interoperability, except for transactions between microenterprises. Making AI components available in open repositories does not mean they can be monetized. Providers of general-purpose AI models that are released under a free and open-source license must meet transparency requirements unless their models pose a systemic risk. In such cases, being transparent and open-source does not exempt them from regulatory obligations. Additionally, releasing these models does not automatically disclose important information about the training data or copyright compliance. Therefore, they still need to provide a summary of the training content and ensure they follow copyright laws, particularly Article 4(3) of Directive (EU) 2019/790. General-purpose AI models, especially large generative ones that create text, images, and other content, offer significant innovation opportunities but also pose challenges for artists, authors, and creators regarding how their work is created, shared, and used.
use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software, with the exception of transactions between microenterprises, should not benefit from the exceptions provided to free and open-source AI components. The fact of making AI components available through open repositories should not, in itself, constitute a monetisation. (104) The providers of general-purpose AI models that are released under a free and open-source licence, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available should be subject to exceptions as regards the transparency-related requirements imposed on general-purpose AI models, unless they can be considered to present a systemic risk, in which case the circumstance that the model is transparent and accompanied by an open-source license should not be considered to be a sufficient reason to exclude compliance with the obligations under this Regulation. In any case, given that the release of general-purpose AI models under free and open-source licence does not necessarily reveal substantial information on the data set used for the training or fine-tuning of the model and on how compliance of copyright law was thereby ensured, the exception provided for general-purpose AI models from compliance with the transparency-related requirements should not concern the obligation to produce a summary about the content used for model training and the obligation to put in place a policy to comply with Union copyright law, in particular to identify and comply with the reservation of rights pursuant to Article 4(3) of Directive (EU) 2019/790 of the European Parliament and of the Council (40). (105) General-purpose AI models, in particular large generative AI models, capable of generating text, images, and other content, present unique innovation opportunities but also challenges to artists, authors, and other creators and the way their creative content is created, distributed, used and consumed.
Show original text
Large generative AI models can create text, images, and other content, offering new opportunities and challenges for artists, authors, and creators regarding how their work is made, shared, and used. Developing these models requires access to a lot of data, including text, images, and videos. Techniques for text and data mining are often used to gather and analyze this content, which may be protected by copyright. To use copyrighted material, permission from the rights holder is usually needed, unless specific copyright exceptions apply. Directive (EU) 2019/790 allows for certain reproductions and extractions of works for text and data mining under specific conditions. Rights holders can choose to protect their works from text and data mining, except for scientific research purposes. If rights holders have opted out, AI model providers must get permission from them to perform text and data mining on those works.
particular large generative AI models, capable of generating text, images, and other content, present unique innovation opportunities but also challenges to artists, authors, and other creators and the way their creative content is created, distributed, used and consumed. The development and training of such models require access to vast amounts of text, images, videos and other data. Text and data mining techniques may be used extensively in this context for the retrieval and analysis of such content, which may be protected by copyright and related rights. Any use of copyright protected content requires the authorisation of the rightsholder concerned unless relevant copyright exceptions and limitations apply. Directive (EU) 2019/790 introduced exceptions and limitations allowing reproductions and extractions of works or other subject matter, for the purpose of text and data OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 27/144 (40) Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC (OJ L 130, 17.5.2019, p. 92). mining, under certain conditions. Under these rules, rightsholders may choose to reserve their rights over their works or other subject matter to prevent text and data mining, unless this is done for the purposes of scientific research. Where the rights to opt out has been expressly reserved in an appropriate manner, providers of general-purpose AI models need to obtain an authorisation from rightsholders if they want to carry out text and data mining over such works.
Show original text
Providers of general-purpose AI models must get permission from copyright holders if they want to use text and data from works where the right to opt out has been clearly stated. They need to follow the rules set out in the relevant regulations to ensure they respect copyright and related rights, particularly as outlined in Article 4(3) of Directive (EU) 2019/790. This requirement applies to all providers placing AI models on the market in the European Union, regardless of where the copyright-related activities occur. This ensures fair competition, preventing any provider from gaining an advantage by adhering to lower copyright standards than those in the EU. To promote transparency about the data used to train these AI models, including copyrighted material, providers should create and publicly share a detailed summary of the training content. This summary should be broad enough to help copyright holders and others with legitimate interests understand and enforce their rights, while still protecting trade secrets and confidential information. It should include information about the main data collections used, such as large private or public databases, and provide a general explanation of other data sources.
research. Where the rights to opt out has been expressly reserved in an appropriate manner, providers of general-purpose AI models need to obtain an authorisation from rightsholders if they want to carry out text and data mining over such works. (106) Providers that place general-purpose AI models on the Union market should ensure compliance with the relevant obligations in this Regulation. To that end, providers of general-purpose AI models should put in place a policy to comply with Union law on copyright and related rights, in particular to identify and comply with the reservation of rights expressed by rightsholders pursuant to Article 4(3) of Directive (EU) 2019/790. Any provider placing a general-purpose AI model on the Union market should comply with this obligation, regardless of the jurisdiction in which the copyright-relevant acts underpinning the training of those general-purpose AI models take place. This is necessary to ensure a level playing field among providers of general-purpose AI models where no provider should be able to gain a competitive advantage in the Union market by applying lower copyright standards than those provided in the Union. (107) In order to increase transparency on the data that is used in the pre-training and training of general-purpose AI models, including text and data protected by copyright law, it is adequate that providers of such models draw up and make publicly available a sufficiently detailed summary of the content used for training the general-purpose AI model. While taking into due account the need to protect trade secrets and confidential business information, this summary should be generally comprehensive in its scope instead of technically detailed to facilitate parties with legitimate interests, including copyright holders, to exercise and enforce their rights under Union law, for example by listing the main data collections or sets that went into training the model, such as large private or public databases or data archives, and by providing a narrative explanation about other data sources used.
Show original text
Providers of general-purpose AI models must follow Union law by clearly listing the main data collections used to train their models, such as large private or public databases. They should also provide a narrative explanation of any other data sources used. The AI Office will create a simple template for this summary to help providers present the information effectively. The AI Office is responsible for ensuring that these providers have a policy in place to comply with Union copyright law and that they publicly share a summary of the content used for training. However, the AI Office will not conduct detailed checks on each piece of training data for copyright compliance. This regulation does not change existing copyright laws under Union law. Compliance requirements for AI model providers should be appropriate to the type of provider. Individuals developing or using models for personal or non-scientific research do not need to comply, but they are encouraged to do so voluntarily. Compliance should also consider the size of the provider, allowing smaller businesses and startups to meet requirements in a cost-effective way. If a model is modified or fine-tuned, the compliance obligations should only apply to those changes, such as updating technical documentation with information about new training data sources.
and enforce their rights under Union law, for example by listing the main data collections or sets that went into training the model, such as large private or public databases or data archives, and by providing a narrative explanation about other data sources used. It is appropriate for the AI Office to provide a template for the summary, which should be simple, effective, and allow the provider to provide the required summary in narrative form. (108) With regard to the obligations imposed on providers of general-purpose AI models to put in place a policy to comply with Union copyright law and make publicly available a summary of the content used for the training, the AI Office should monitor whether the provider has fulfilled those obligations without verifying or proceeding to a work-by-work assessment of the training data in terms of copyright compliance. This Regulation does not affect the enforcement of copyright rules as provided for under Union law. (109) Compliance with the obligations applicable to the providers of general-purpose AI models should be commensurate and proportionate to the type of model provider, excluding the need for compliance for persons who develop or use models for non-professional or scientific research purposes, who should nevertheless be encouraged to voluntarily comply with these requirements. Without prejudice to Union copyright law, compliance with those obligations should take due account of the size of the provider and allow simplified ways of compliance for SMEs, including start-ups, that should not represent an excessive cost and not discourage the use of such models. In the case of a modification or fine-tuning of a model, the obligations for providers of general-purpose AI models should be limited to that modification or fine-tuning, for example by complementing the already existing technical documentation with information on the modifications, including new training data sources, as a means to comply with the value chain obligations provided in this Regulation.
Show original text
Modifications to AI models should be limited to adjustments that enhance existing technical documentation, such as adding information about new training data sources, to meet the requirements of the regulation. General-purpose AI models can create systemic risks, which may include negative impacts on major accidents, disruptions in critical sectors, and serious threats to public health and safety. They can also affect democratic processes and public security, and lead to the spread of illegal, false, or discriminatory content. These risks increase with the model's capabilities and reach, and can occur throughout the model's lifecycle. Factors influencing these risks include misuse, reliability, fairness, security, autonomy, access to tools, and distribution strategies. International discussions have highlighted the importance of addressing risks from intentional misuse or unintended control issues, as well as risks related to chemical, biological, radiological, and nuclear threats, which could lower barriers for weapon development. Additionally, there are concerns about offensive cyber capabilities, the impact of AI on physical systems and critical infrastructure, and the potential for models to replicate themselves or train other models, which can lead to harmful biases.
be limited to that modification or fine-tuning, for example by complementing the already existing technical documentation with information on the modifications, including new training data sources, as a means to comply with the value chain obligations provided in this Regulation. (110) General-purpose AI models could pose systemic risks which include, but are not limited to, any actual or reasonably foreseeable negative effects in relation to major accidents, disruptions of critical sectors and serious consequences to public health and safety; any actual or reasonably foreseeable negative effects on democratic processes, public and economic security; the dissemination of illegal, false, or discriminatory content. Systemic risks should be understood to increase with model capabilities and model reach, can arise along the entire lifecycle of the model, and are influenced by conditions of misuse, model reliability, model fairness and model security, the level of autonomy of EN OJ L, 12.7.2024 28/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj the model, its access to tools, novel or combined modalities, release and distribution strategies, the potential to remove guardrails and other factors. In particular, international approaches have so far identified the need to pay attention to risks from potential intentional misuse or unintended issues of control relating to alignment with human intent; chemical, biological, radiological, and nuclear risks, such as the ways in which barriers to entry can be lowered, including for weapons development, design acquisition, or use; offensive cyber capabilities, such as the ways in vulnerability discovery, exploitation, or operational use can be enabled; the effects of interaction and tool use, including for example the capacity to control physical systems and interfere with critical infrastructure; risks from models of making copies of themselves or ‘self-replicating’ or training other models; the ways in which models can give rise to harmful bias
Show original text
There are several risks associated with general-purpose AI models. These include the ability to control physical systems and disrupt critical infrastructure, the potential for models to create copies of themselves or train other models, and the risk of harmful bias and discrimination that could affect individuals and communities. Additionally, these models can spread disinformation and threaten privacy, which poses risks to democratic values and human rights. A single event involving these models could trigger a chain reaction with serious negative consequences, potentially impacting an entire city or community. To address these concerns, it is important to develop a method for classifying general-purpose AI models that carry systemic risks. A model should be classified as having systemic risks if it possesses high-impact capabilities, which can be assessed using appropriate technical tools and methodologies, or if it significantly affects the internal market due to its reach. High-impact capabilities refer to those that are equal to or greater than those found in the most advanced general-purpose AI models. The full extent of a model's capabilities may only be fully understood after it is on the market or when users interact with it. At the time this regulation takes effect, one way to estimate a model's capabilities is by measuring the total amount of computation used during its training, expressed in floating point operations. This includes all computations involved in enhancing the model's capabilities before it is deployed, such as pre-training, generating synthetic data, and fine-tuning. Therefore, a specific threshold for floating point operations should be established. If a general-purpose AI model meets this threshold, it will be presumed to have systemic risks.
, including for example the capacity to control physical systems and interfere with critical infrastructure; risks from models of making copies of themselves or ‘self-replicating’ or training other models; the ways in which models can give rise to harmful bias and discrimination with risks to individuals, communities or societies; the facilitation of disinformation or harming privacy with threats to democratic values and human rights; risk that a particular event could lead to a chain reaction with considerable negative effects that could affect up to an entire city, an entire domain activity or an entire community. (111) It is appropriate to establish a methodology for the classification of general-purpose AI models as general-purpose AI model with systemic risks. Since systemic risks result from particularly high capabilities, a general-purpose AI model should be considered to present systemic risks if it has high-impact capabilities, evaluated on the basis of appropriate technical tools and methodologies, or significant impact on the internal market due to its reach. High-impact capabilities in general-purpose AI models means capabilities that match or exceed the capabilities recorded in the most advanced general-purpose AI models. The full range of capabilities in a model could be better understood after its placing on the market or when deployers interact with the model. According to the state of the art at the time of entry into force of this Regulation, the cumulative amount of computation used for the training of the general-purpose AI model measured in floating point operations is one of the relevant approximations for model capabilities. The cumulative amount of computation used for training includes the computation used across the activities and methods that are intended to enhance the capabilities of the model prior to deployment, such as pre-training, synthetic data generation and fine-tuning. Therefore, an initial threshold of floating point operations should be set, which, if met by a general-purpose AI model, leads to a presumption that the model is a general-purpose AI model with systemic risks.
Show original text
To ensure safety in AI development, we need to establish a baseline for the number of floating point operations a general-purpose AI model must meet. If a model reaches this threshold, it is presumed to have systemic risks. This threshold should be updated regularly to keep pace with advancements in technology and industry, such as better algorithms or more efficient hardware. Additionally, we should create benchmarks and indicators to assess the model's capabilities. The AI Office should collaborate with scientists, industry leaders, civil society, and other experts to develop these standards. The thresholds and assessment tools should effectively predict the generality, capabilities, and systemic risks of general-purpose AI models, considering factors like market placement and user impact. Furthermore, the Commission should have the authority to individually classify a model as a general-purpose AI model with systemic risks if it meets or exceeds the established threshold. This classification will be based on a comprehensive evaluation of specific criteria outlined in the regulation, including the quality and size of the training data, the number of users, the model's input and output methods, its autonomy, scalability, and available tools. If a provider believes their model has been incorrectly classified, they can request a reassessment from the Commission. Lastly, we need to clarify the process for classifying general-purpose AI models with systemic risks.
data generation and fine-tuning. Therefore, an initial threshold of floating point operations should be set, which, if met by a general-purpose AI model, leads to a presumption that the model is a general-purpose AI model with systemic risks. This threshold should be adjusted over time to reflect technological and industrial changes, such as algorithmic improvements or increased hardware efficiency, and should be supplemented with benchmarks and indicators for model capability. To inform this, the AI Office should engage with the scientific community, industry, civil society and other experts. Thresholds, as well as tools and benchmarks for the assessment of high-impact capabilities, should be strong predictors of generality, its capabilities and associated systemic risk of general-purpose AI models, and could take into account the way the model will be placed on the market or the number of users it may affect. To complement this system, there should be a possibility for the Commission to take individual decisions designating a general-purpose AI model as a general-purpose AI model with systemic risk if it is found that such model has capabilities or an impact equivalent to those captured by the set threshold. That decision should be taken on the basis of an overall assessment of the criteria for the designation of a general-purpose AI model with systemic risk set out in an annex to this Regulation, such as quality or size of the training data set, number of business and end users, its input and output modalities, its level of autonomy and scalability, or the tools it has access to. Upon a reasoned request of a provider whose model has been designated as a general-purpose AI model with systemic risk, the Commission should take the request into account and may decide to reassess whether the general-purpose AI model can still be considered to present systemic risks. (112) It is also necessary to clarify a procedure for the classification of a general-purpose AI model with systemic risks.
Show original text
The AI Office may reconsider whether a general-purpose AI model poses systemic risks. It is important to establish a clear process for classifying these models as having systemic risks. If a general-purpose AI model meets the criteria for high-impact capabilities, it should be assumed to have systemic risks. The provider must inform the AI Office within two weeks after meeting these criteria or when they become aware that their model will meet them. This is particularly important regarding the threshold for floating point operations, as training these models requires significant planning and resource allocation, allowing providers to know in advance if their model will meet the threshold. When notifying the AI Office, the provider can demonstrate that their model, due to its unique characteristics, does not pose systemic risks and should not be classified as such. This information helps the AI Office prepare for the market introduction of potentially risky models and allows providers to engage with the Office early. This is especially crucial for general-purpose AI models intended for open-source release, as ensuring compliance with regulations may become more challenging after the release.
request into account and may decide to reassess whether the general-purpose AI model can still be considered to present systemic risks. (112) It is also necessary to clarify a procedure for the classification of a general-purpose AI model with systemic risks. A general-purpose AI model that meets the applicable threshold for high-impact capabilities should be presumed to be a general-purpose AI models with systemic risk. The provider should notify the AI Office at the latest two weeks after the requirements are met or it becomes known that a general-purpose AI model will meet the requirements that lead to the presumption. This is especially relevant in relation to the threshold of floating point operations because training of general-purpose AI models takes considerable planning which includes the upfront allocation of compute resources and, therefore, providers of general-purpose AI models are able to know if their model would meet the threshold before the training is completed. In the context of that notification, the provider should be able to demonstrate that, because of its specific characteristics, a general-purpose AI model exceptionally does not present systemic risks, and that it thus should not be classified as a general-purpose AI model with systemic risks. That information is valuable for the AI Office to anticipate the placing on the market of general-purpose AI models with systemic risks and the providers can start to engage with the AI Office early on. That information is especially OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 29/144 important with regard to general-purpose AI models that are planned to be released as open-source, given that, after the open-source model release, necessary measures to ensure compliance with the obligations under this Regulation may be more difficult to implement.
Show original text
It's important to consider general-purpose AI models that will be released as open-source. Once these models are available, it may be harder to ensure they comply with regulations. If the Commission discovers that a general-purpose AI model poses systemic risks—either because it was previously unknown or not reported by the provider—it should have the authority to classify it as such. A system of alerts from a scientific panel will help the AI Office identify models that may need this classification, in addition to the Office's own monitoring efforts. Providers of general-purpose AI models that present systemic risks will have additional responsibilities. They must identify and reduce these risks and ensure strong cybersecurity, whether the model is standalone or part of a larger system. To meet these requirements, the regulation will mandate that providers conduct necessary evaluations before the model is first sold, including adversarial testing, which can be done internally or by independent testers. Furthermore, these providers must continuously assess and manage systemic risks by implementing risk management policies, ensuring accountability, monitoring the model after it hits the market, and collaborating with others in the AI value chain.
144 important with regard to general-purpose AI models that are planned to be released as open-source, given that, after the open-source model release, necessary measures to ensure compliance with the obligations under this Regulation may be more difficult to implement. (113) If the Commission becomes aware of the fact that a general-purpose AI model meets the requirements to classify as a general-purpose AI model with systemic risk, which previously had either not been known or of which the relevant provider has failed to notify the Commission, the Commission should be empowered to designate it so. A system of qualified alerts should ensure that the AI Office is made aware by the scientific panel of general-purpose AI models that should possibly be classified as general-purpose AI models with systemic risk, in addition to the monitoring activities of the AI Office. (114) The providers of general-purpose AI models presenting systemic risks should be subject, in addition to the obligations provided for providers of general-purpose AI models, to obligations aimed at identifying and mitigating those risks and ensuring an adequate level of cybersecurity protection, regardless of whether it is provided as a standalone model or embedded in an AI system or a product. To achieve those objectives, this Regulation should require providers to perform the necessary model evaluations, in particular prior to its first placing on the market, including conducting and documenting adversarial testing of models, also, as appropriate, through internal or independent external testing. In addition, providers of general-purpose AI models with systemic risks should continuously assess and mitigate systemic risks, including for example by putting in place risk-management policies, such as accountability and governance processes, implementing post-market monitoring, taking appropriate measures along the entire model’s lifecycle and cooperating with relevant actors along the AI value chain. (115) Providers of general-purpose AI models with systemic risks should assess and mitigate possible systemic risks.
Show original text
Governance processes should be established for post-market monitoring, taking necessary actions throughout the entire lifecycle of AI models, and collaborating with key players in the AI value chain. Providers of general-purpose AI models that pose systemic risks must evaluate and reduce these risks. If a serious incident occurs despite these efforts, the provider must promptly document the incident and report relevant details and corrective actions to the Commission and national authorities. Additionally, providers must ensure strong cybersecurity measures for the model and its infrastructure throughout its lifecycle. This includes protecting against risks from malicious use or attacks, accidental leaks, unauthorized releases, and cyber threats. Security measures should involve safeguarding model weights, algorithms, servers, and datasets through operational security, specific cybersecurity policies, and access controls tailored to the risks involved. The AI Office should promote the creation, review, and updating of codes of practice, considering international standards. All providers of general-purpose AI models may be invited to participate. To ensure these codes reflect current best practices and diverse viewpoints, the AI Office should work with national authorities and consult with civil society organizations, experts, and the Scientific Panel. These codes should outline the responsibilities of providers of general-purpose AI models, especially those with systemic risks.
governance processes, implementing post-market monitoring, taking appropriate measures along the entire model’s lifecycle and cooperating with relevant actors along the AI value chain. (115) Providers of general-purpose AI models with systemic risks should assess and mitigate possible systemic risks. If, despite efforts to identify and prevent risks related to a general-purpose AI model that may present systemic risks, the development or use of the model causes a serious incident, the general-purpose AI model provider should without undue delay keep track of the incident and report any relevant information and possible corrective measures to the Commission and national competent authorities. Furthermore, providers should ensure an adequate level of cybersecurity protection for the model and its physical infrastructure, if appropriate, along the entire model lifecycle. Cybersecurity protection related to systemic risks associated with malicious use or attacks should duly consider accidental model leakage, unauthorised releases, circumvention of safety measures, and defence against cyberattacks, unauthorised access or model theft. That protection could be facilitated by securing model weights, algorithms, servers, and data sets, such as through operational security measures for information security, specific cybersecurity policies, adequate technical and established solutions, and cyber and physical access controls, appropriate to the relevant circumstances and the risks involved. (116) The AI Office should encourage and facilitate the drawing up, review and adaptation of codes of practice, taking into account international approaches. All providers of general-purpose AI models could be invited to participate. To ensure that the codes of practice reflect the state of the art and duly take into account a diverse set of perspectives, the AI Office should collaborate with relevant national competent authorities, and could, where appropriate, consult with civil society organisations and other relevant stakeholders and experts, including the Scientific Panel, for the drawing up of such codes. Codes of practice should cover obligations for providers of general-purpose AI models and of general-purpose AI models presenting systemic risks.
Show original text
Codes of practice will be developed in collaboration with civil society organizations, stakeholders, and experts, including the Scientific Panel. These codes will outline the responsibilities of providers of general-purpose AI models, especially those that pose systemic risks. They will help identify and categorize these risks at the Union level, including their sources, and will focus on specific measures for assessing and reducing these risks. These codes will be essential for ensuring that providers of general-purpose AI models comply with the regulations. Providers can use these codes to show they are meeting their obligations. The Commission may approve a code of practice for general use across the Union or create common rules if a code cannot be finalized or is found inadequate by the AI Office when the regulation takes effect. Once a harmonized standard is published and deemed suitable by the AI Office, following this standard will imply compliance. Additionally, providers can demonstrate compliance through other acceptable methods if codes of practice or harmonized standards are unavailable or if they choose not to use them.
with civil society organisations and other relevant stakeholders and experts, including the Scientific Panel, for the drawing up of such codes. Codes of practice should cover obligations for providers of general-purpose AI models and of general-purpose AI models presenting systemic risks. In addition, as regards systemic risks, codes of practice should help to establish a risk taxonomy of the type and nature of the systemic risks at Union level, including their sources. Codes of practice should also be focused on specific risk assessment and mitigation measures. (117) The codes of practice should represent a central tool for the proper compliance with the obligations provided for under this Regulation for providers of general-purpose AI models. Providers should be able to rely on codes of practice to demonstrate compliance with the obligations. By means of implementing acts, the Commission may decide to approve a code of practice and give it a general validity within the Union, or, alternatively, to provide common rules for the implementation of the relevant obligations, if, by the time this Regulation becomes applicable, a code of practice cannot be finalised or is not deemed adequate by the AI Office. Once a harmonised standard is EN OJ L, 12.7.2024 30/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj published and assessed as suitable to cover the relevant obligations by the AI Office, compliance with a European harmonised standard should grant providers the presumption of conformity. Providers of general-purpose AI models should furthermore be able to demonstrate compliance using alternative adequate means, if codes of practice or harmonised standards are not available, or they choose not to rely on those.
Show original text
The standard should assume that providers of general-purpose AI models meet compliance requirements. If there are no available codes of practice or harmonized standards, these providers can show compliance through other suitable methods. This Regulation sets rules for AI systems and models, requiring market actors to meet specific obligations when offering them in the EU. This complements the obligations for providers of intermediary services that include these AI systems, as outlined in Regulation (EU) 2022/2065. If these systems are part of very large online platforms or search engines, they must follow the risk-management framework in Regulation (EU) 2022/2065. Therefore, the obligations in this Regulation are considered met unless significant systemic risks arise that are not addressed by Regulation (EU) 2022/2065. Providers of very large online platforms and search engines must evaluate potential systemic risks related to their services, including risks from the design and use of their algorithms, and take appropriate measures to mitigate these risks while respecting fundamental rights. Given the rapid innovation and changes in digital services, AI systems covered by this Regulation may also be offered as intermediary services, as defined in Regulation (EU) 2022/2065, and this should be understood in a way that is not limited to specific technologies.
standard should grant providers the presumption of conformity. Providers of general-purpose AI models should furthermore be able to demonstrate compliance using alternative adequate means, if codes of practice or harmonised standards are not available, or they choose not to rely on those. (118) This Regulation regulates AI systems and AI models by imposing certain requirements and obligations for relevant market actors that are placing them on the market, putting into service or use in the Union, thereby complementing obligations for providers of intermediary services that embed such systems or models into their services regulated by Regulation (EU) 2022/2065. To the extent that such systems or models are embedded into designated very large online platforms or very large online search engines, they are subject to the risk-management framework provided for in Regulation (EU) 2022/2065. Consequently, the corresponding obligations of this Regulation should be presumed to be fulfilled, unless significant systemic risks not covered by Regulation (EU) 2022/2065 emerge and are identified in such models. Within this framework, providers of very large online platforms and very large online search engines are obliged to assess potential systemic risks stemming from the design, functioning and use of their services, including how the design of algorithmic systems used in the service may contribute to such risks, as well as systemic risks stemming from potential misuses. Those providers are also obliged to take appropriate mitigating measures in observance of fundamental rights. (119) Considering the quick pace of innovation and the technological evolution of digital services in scope of different instruments of Union law in particular having in mind the usage and the perception of their recipients, the AI systems subject to this Regulation may be provided as intermediary services or parts thereof within the meaning of Regulation (EU) 2022/2065, which should be interpreted in a technology-neutral manner.
Show original text
AI systems covered by this Regulation can act as intermediary services, as defined by Regulation (EU) 2022/2065, and this should be understood in a way that is not limited to specific technologies. For instance, AI systems can be used in online search engines. If an AI system, like an online chatbot, searches through all websites, combines the results with its existing knowledge, and produces a single output, it demonstrates this functionality. Additionally, the Regulation imposes obligations on providers and users of certain AI systems to ensure that it is clear when outputs are artificially generated or altered. This is especially important for very large online platforms and search engines, which must identify and reduce risks associated with the spread of manipulated content. Such risks can negatively impact democratic processes, public discussions, and elections, particularly through disinformation. Standardization is crucial for providing technical solutions that help providers comply with this Regulation. It should align with the latest advancements to encourage innovation, competitiveness, and growth in the single market. Adhering to harmonized standards, as outlined in Article 2, point (1)(c) of Regulation (EU) No 1025/2012, is a way for providers to show they meet the requirements of this Regulation.
the perception of their recipients, the AI systems subject to this Regulation may be provided as intermediary services or parts thereof within the meaning of Regulation (EU) 2022/2065, which should be interpreted in a technology-neutral manner. For example, AI systems may be used to provide online search engines, in particular, to the extent that an AI system such as an online chatbot performs searches of, in principle, all websites, then incorporates the results into its existing knowledge and uses the updated knowledge to generate a single output that combines different sources of information. (120) Furthermore, obligations placed on providers and deployers of certain AI systems in this Regulation to enable the detection and disclosure that the outputs of those systems are artificially generated or manipulated are particularly relevant to facilitate the effective implementation of Regulation (EU) 2022/2065. This applies in particular as regards the obligations of providers of very large online platforms or very large online search engines to identify and mitigate systemic risks that may arise from the dissemination of content that has been artificially generated or manipulated, in particular risk of the actual or foreseeable negative effects on democratic processes, civic discourse and electoral processes, including through disinformation. (121) Standardisation should play a key role to provide technical solutions to providers to ensure compliance with this Regulation, in line with the state of the art, to promote innovation as well as competitiveness and growth in the single market. Compliance with harmonised standards as defined in Article 2, point (1)(c), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council (41), which are normally expected to reflect the state of the art, should be a means for providers to demonstrate conformity with the requirements of this Regulation.
Show original text
The European Parliament and Council Regulation (EU) No 1025/2012 states that standards should reflect the latest advancements and help providers show they meet regulatory requirements. It is important to include a variety of stakeholders, especially small and medium-sized enterprises (SMEs), consumer groups, and environmental and social organizations, in the standard development process as outlined in Articles 5 and 6 of the regulation. The European Commission should issue standardization requests promptly to help ensure compliance. When creating these requests, the Commission should seek advice from an advisory forum and a Board to gather necessary expertise. If there are no relevant harmonized standards available, the Commission can create common specifications through implementing acts after consulting the advisory forum. These common specifications should only be used as a last resort to help providers meet regulatory requirements when standardization requests are not accepted, when existing standards do not adequately address fundamental rights, or when there are delays in creating suitable standards due to their technical complexity.
EU) No 1025/2012 of the European Parliament and of the Council (41), which are normally expected to reflect the state of the art, should be a means for providers to demonstrate conformity with the requirements of this Regulation. A balanced representation of interests involving all relevant stakeholders in the development of standards, in particular SMEs, consumer organisations and environmental and social stakeholders in accordance with Articles 5 and 6 of Regulation (EU) No 1025/2012 should therefore be encouraged. In order to facilitate compliance, the standardisation requests should be issued by the Commission without undue delay. When preparing the standardisation request, the Commission should consult the advisory forum and the Board in order to collect relevant expertise. However, in the absence of relevant references to harmonised standards, the Commission should be able to establish, via implementing acts, and after consultation of the advisory forum, common specifications for certain requirements under this Regulation. The common specification should be an exceptional fall back solution to facilitate the provider’s obligation to comply with the requirements of this Regulation, when the standardisation request has not been accepted by any of the European standardisation organisations, or when the relevant harmonised standards insufficiently address fundamental rights concerns, or when the harmonised standards do not comply with the request, or when there are delays in the adoption of an appropriate harmonised standard. Where such a delay in the adoption of a harmonised standard is due to the technical complexity of that standard, this should OJ L, 12.7.
Show original text
Delays in adopting a suitable harmonised standard may occur, especially if the standard is technically complex. The European Commission should take this into account before deciding to create common specifications. While developing these specifications, the Commission is encouraged to work with international partners and standardisation bodies. Additionally, providers of high-risk AI systems that have been trained and tested using data specific to their intended geographical, behavioural, contextual, or functional settings should be assumed to comply with the relevant data governance requirements outlined in this Regulation, regardless of the use of harmonised standards and common specifications.
or when there are delays in the adoption of an appropriate harmonised standard. Where such a delay in the adoption of a harmonised standard is due to the technical complexity of that standard, this should OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 31/144 (41) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). be considered by the Commission before contemplating the establishment of common specifications. When developing common specifications, the Commission is encouraged to cooperate with international partners and international standardisation bodies. (122) It is appropriate that, without prejudice to the use of harmonised standards and common specifications, providers of a high-risk AI system that has been trained and tested on data reflecting the specific geographical, behavioural, contextual or functional setting within which the AI system is intended to be used, should be presumed to comply with the relevant measure provided for under the requirement on data governance set out in this Regulation.
Show original text
Data that reflects the specific geographical, behavioral, contextual, or functional setting for which an AI system is designed is assumed to meet the data governance requirements outlined in this Regulation. Additionally, high-risk AI systems that have been certified or have received a statement of conformity under a cybersecurity scheme, as per Article 54(3) of Regulation (EU) 2019/881, are also presumed to meet the cybersecurity requirements of this Regulation, provided that the certification covers those requirements. This does not affect the voluntary nature of the cybersecurity scheme. To ensure high trustworthiness in high-risk AI systems, these systems must undergo a conformity assessment before they can be marketed or put into service. To reduce the burden on operators and avoid duplication, high-risk AI systems related to products already covered by existing EU harmonization legislation should be assessed for compliance with this Regulation as part of the existing conformity assessment process. The requirements of this Regulation should not change the established methods or structures of conformity assessments under relevant EU legislation. Given the complexity and associated risks of high-risk AI systems, it is crucial to create a suitable conformity assessment procedure that involves notified bodies, which are third-party assessors.
on data reflecting the specific geographical, behavioural, contextual or functional setting within which the AI system is intended to be used, should be presumed to comply with the relevant measure provided for under the requirement on data governance set out in this Regulation. Without prejudice to the requirements related to robustness and accuracy set out in this Regulation, in accordance with Article 54(3) of Regulation (EU) 2019/881, high-risk AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to that Regulation and the references of which have been published in the Official Journal of the European Union should be presumed to comply with the cybersecurity requirement of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover the cybersecurity requirement of this Regulation. This remains without prejudice to the voluntary nature of that cybersecurity scheme. (123) In order to ensure a high level of trustworthiness of high-risk AI systems, those systems should be subject to a conformity assessment prior to their placing on the market or putting into service. (124) It is appropriate that, in order to minimise the burden on operators and avoid any possible duplication, for high-risk AI systems related to products which are covered by existing Union harmonisation legislation based on the New Legislative Framework, the compliance of those AI systems with the requirements of this Regulation should be assessed as part of the conformity assessment already provided for in that law. The applicability of the requirements of this Regulation should thus not affect the specific logic, methodology or general structure of conformity assessment under the relevant Union harmonisation legislation. (125) Given the complexity of high-risk AI systems and the risks that are associated with them, it is important to develop an adequate conformity assessment procedure for high-risk AI systems involving notified bodies, so-called third party conformity assessment.
Show original text
Due to the complexity and risks of high-risk AI systems, it's crucial to create a proper evaluation process for these systems, involving independent third-party assessors. However, initially, this evaluation should mainly be limited to high-risk AI systems that are not product-related. Generally, the providers of these AI systems should assess them themselves, except for those used for biometrics. To conduct third-party assessments when necessary, national authorities must notify independent bodies that meet specific requirements, such as independence, expertise, and cybersecurity standards. This notification should be sent to the European Commission and other EU member states using an electronic tool developed by the Commission. In line with EU commitments to the World Trade Organization, it is important to allow mutual recognition of assessment results from qualified bodies, regardless of where they are based, as long as they comply with EU regulations and there is an agreement in place. The Commission should actively seek international agreements to facilitate this mutual recognition.
legislation. (125) Given the complexity of high-risk AI systems and the risks that are associated with them, it is important to develop an adequate conformity assessment procedure for high-risk AI systems involving notified bodies, so-called third party conformity assessment. However, given the current experience of professional pre-market certifiers in the field of product safety and the different nature of risks involved, it is appropriate to limit, at least in an initial phase of application of this Regulation, the scope of application of third-party conformity assessment for high-risk AI systems other than those related to products. Therefore, the conformity assessment of such systems should be carried out as a general rule by the provider under its own responsibility, with the only exception of AI systems intended to be used for biometrics. (126) In order to carry out third-party conformity assessments when so required, notified bodies should be notified under this Regulation by the national competent authorities, provided that they comply with a set of requirements, in particular on independence, competence, absence of conflicts of interests and suitable cybersecurity requirements. Notification of those bodies should be sent by national competent authorities to the Commission and the other Member States by means of the electronic notification tool developed and managed by the Commission pursuant to Article R23 of Annex I to Decision No 768/2008/EC. (127) In line with Union commitments under the World Trade Organization Agreement on Technical Barriers to Trade, it is adequate to facilitate the mutual recognition of conformity assessment results produced by competent conformity assessment bodies, independent of the territory in which they are established, provided that those conformity assessment bodies established under the law of a third country meet the applicable requirements of this Regulation and the Union has concluded an agreement to that extent. In this context, the Commission should actively explore possible international instruments for that purpose and in particular pursue the conclusion of mutual recognition agreements with third countries.
Show original text
The Regulation requires that the European Commission actively seeks international agreements, especially mutual recognition agreements with other countries. When a high-risk AI system undergoes significant changes that could affect its compliance with the Regulation—such as changes to its operating system or purpose—it should be treated as a new AI system and must go through a new conformity assessment. However, if the AI system continues to learn and adapt after being released, changes to its algorithm or performance will not be considered substantial modifications, as long as these changes were planned and assessed during the initial conformity assessment. High-risk AI systems must display a CE marking to show they comply with this Regulation, allowing them to be sold freely in the internal market. For AI systems integrated into products, a physical CE marking is required, which can be accompanied by a digital version. For AI systems provided only digitally, a digital CE marking is sufficient. Member States cannot create unnecessary barriers to the market entry of compliant high-risk AI systems that have the CE marking.
the applicable requirements of this Regulation and the Union has concluded an agreement to that extent. In this context, the Commission should actively explore possible international instruments for that purpose and in particular pursue the conclusion of mutual recognition agreements with third countries. (128) In line with the commonly established notion of substantial modification for products regulated by Union harmonisation legislation, it is appropriate that whenever a change occurs which may affect the compliance of a high-risk AI system with this Regulation (e.g. change of operating system or software architecture), or when the intended purpose of the system changes, that AI system should be considered to be a new AI system which should undergo a new conformity assessment. However, changes occurring to the algorithm and the performance of AI systems which continue to ‘learn’ after being placed on the market or put into service, namely automatically adapting how functions are carried out, should not constitute a substantial modification, provided that those changes have been pre-determined by the provider and assessed at the moment of the conformity assessment. EN OJ L, 12.7.2024 32/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (129) High-risk AI systems should bear the CE marking to indicate their conformity with this Regulation so that they can move freely within the internal market. For high-risk AI systems embedded in a product, a physical CE marking should be affixed, and may be complemented by a digital CE marking. For high-risk AI systems only provided digitally, a digital CE marking should be used. Member States should not create unjustified obstacles to the placing on the market or the putting into service of high-risk AI systems that comply with the requirements laid down in this Regulation and bear the CE marking.
Show original text
A digital CE marking must be used for high-risk AI systems. Member States should not create unnecessary barriers to the market entry or use of these systems if they meet the requirements of this Regulation and have the CE marking. In certain situations, quick access to innovative technologies is essential for public health, safety, environmental protection, and societal well-being. Therefore, in exceptional cases related to public security or the protection of life and health, market surveillance authorities may allow the use of AI systems that haven't completed a conformity assessment. In justified cases, law enforcement or civil protection authorities can also use a specific high-risk AI system without prior approval from market surveillance, as long as they request authorization promptly after starting its use. To help the Commission and Member States in managing AI and to improve public transparency, providers of high-risk AI systems (not covered by existing EU regulations) must register themselves and their AI systems in a new EU database managed by the Commission. Before using any AI system classified as high-risk, public authorities, agencies, or bodies must also register in this database and indicate which system they plan to use.
a digital CE marking should be used. Member States should not create unjustified obstacles to the placing on the market or the putting into service of high-risk AI systems that comply with the requirements laid down in this Regulation and bear the CE marking. (130) Under certain conditions, rapid availability of innovative technologies may be crucial for health and safety of persons, the protection of the environment and climate change and for society as a whole. It is thus appropriate that under exceptional reasons of public security or protection of life and health of natural persons, environmental protection and the protection of key industrial and infrastructural assets, market surveillance authorities could authorise the placing on the market or the putting into service of AI systems which have not undergone a conformity assessment. In duly justified situations, as provided for in this Regulation, law enforcement authorities or civil protection authorities may put a specific high-risk AI system into service without the authorisation of the market surveillance authority, provided that such authorisation is requested during or after the use without undue delay. (131) In order to facilitate the work of the Commission and the Member States in the AI field as well as to increase the transparency towards the public, providers of high-risk AI systems other than those related to products falling within the scope of relevant existing Union harmonisation legislation, as well as providers who consider that an AI system listed in the high-risk use cases in an annex to this Regulation is not high-risk on the basis of a derogation, should be required to register themselves and information about their AI system in an EU database, to be established and managed by the Commission. Before using an AI system listed in the high-risk use cases in an annex to this Regulation, deployers of high-risk AI systems that are public authorities, agencies or bodies, should register themselves in such database and select the system that they envisage to use.
Show original text
Public authorities, agencies, or bodies that use high-risk AI systems must register in the EU database and specify the systems they plan to use. Other users can register voluntarily. This section of the database will be publicly accessible and free to use, with information that is easy to navigate, understand, and read by machines. The database should be user-friendly, allowing searches by keywords so that the public can find relevant information about registered high-risk AI systems and their use cases. Any significant changes to these systems must also be recorded in the database. For high-risk AI systems related to law enforcement, migration, asylum, and border control, registration must occur in a secure, non-public section of the database, accessible only to the European Commission and national market surveillance authorities. High-risk AI systems related to critical infrastructure should only be registered at the national level. The European Commission will manage the EU database according to Regulation (EU) 2018/1725. To ensure the database works properly, the Commission will develop functional specifications and conduct an independent audit. The Commission will also consider cybersecurity risks while managing the database.
the high-risk use cases in an annex to this Regulation, deployers of high-risk AI systems that are public authorities, agencies or bodies, should register themselves in such database and select the system that they envisage to use. Other deployers should be entitled to do so voluntarily. This section of the EU database should be publicly accessible, free of charge, the information should be easily navigable, understandable and machine-readable. The EU database should also be user-friendly, for example by providing search functionalities, including through keywords, allowing the general public to find relevant information to be submitted upon the registration of high-risk AI systems and on the use case of high-risk AI systems, set out in an annex to this Regulation, to which the high-risk AI systems correspond. Any substantial modification of high-risk AI systems should also be registered in the EU database. For high-risk AI systems in the area of law enforcement, migration, asylum and border control management, the registration obligations should be fulfilled in a secure non-public section of the EU database. Access to the secure non-public section should be strictly limited to the Commission as well as to market surveillance authorities with regard to their national section of that database. High-risk AI systems in the area of critical infrastructure should only be registered at national level. The Commission should be the controller of the EU database, in accordance with Regulation (EU) 2018/1725. In order to ensure the full functionality of the EU database, when deployed, the procedure for setting the database should include the development of functional specifications by the Commission and an independent audit report. The Commission should take into account cybersecurity risks when carrying out its tasks as data controller on the EU database.
Show original text
When the database is set up, the process should include creating functional specifications by the Commission and an independent audit report. The Commission must consider cybersecurity risks while acting as the data controller for the EU database. To ensure the public can easily access and use the EU database, it must meet the requirements of Directive (EU) 2019/882. Certain AI systems that interact with people or create content may carry risks of impersonation or deception, regardless of whether they are classified as high-risk. Therefore, these systems should have specific transparency requirements, while still adhering to the rules for high-risk AI systems, with some exceptions for law enforcement needs. Specifically, people should be informed when they are interacting with an AI system, unless it is clear to a reasonably informed and observant person based on the situation. When enforcing this requirement, the needs of vulnerable groups, such as the elderly or disabled, should be considered, especially if the AI system is designed to interact with them. Additionally, individuals should be notified if AI systems process their biometric data to identify or infer their emotions or intentions, or to categorize them based on traits like sex, age, hair color, eye color, tattoos, ethnic origin, and personal interests. This information should be provided in accessible formats for people with disabilities.
, when deployed, the procedure for setting the database should include the development of functional specifications by the Commission and an independent audit report. The Commission should take into account cybersecurity risks when carrying out its tasks as data controller on the EU database. In order to maximise the availability and use of the EU database by the public, the EU database, including the information made available through it, should comply with requirements under the Directive (EU) 2019/882. (132) Certain AI systems intended to interact with natural persons or to generate content may pose specific risks of impersonation or deception irrespective of whether they qualify as high-risk or not. In certain circumstances, the use of these systems should therefore be subject to specific transparency obligations without prejudice to the requirements and obligations for high-risk AI systems and subject to targeted exceptions to take into account the special need of law enforcement. In particular, natural persons should be notified that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect taking into account the circumstances and the context of use. When implementing that obligation, the characteristics of natural persons belonging to vulnerable groups due to their age or disability should be taken into account to the extent the AI system is intended to interact with those groups as well. Moreover, natural persons should be notified when they are exposed to AI systems that, by processing their biometric data, can identify or infer the emotions or intentions of those persons or assign them to specific categories. Such specific categories can relate to aspects such as sex, age, hair colour, eye colour, tattoos, personal traits, ethnic origin, personal preferences and interests. Such information and notifications should be provided in accessible formats for persons with disabilities. OJ L, 12.7.
Show original text
Information such as sex, age, hair color, eye color, tattoos, personal traits, ethnic origin, preferences, and interests should be provided in formats that are accessible to people with disabilities. A variety of AI systems can create large amounts of synthetic content that is becoming harder for people to tell apart from real, human-generated content. The widespread use and growing capabilities of these systems pose risks to the integrity and trustworthiness of information, leading to issues like misinformation, manipulation, fraud, impersonation, and consumer deception. To address these challenges, it is important for providers of AI systems to include technical solutions that can mark content in a machine-readable way, indicating whether it was generated or altered by AI rather than a human. These solutions should be reliable, compatible, effective, and robust, considering the available technologies. Possible methods include watermarks, metadata identification, cryptographic techniques to verify the origin and authenticity of content, logging methods, and fingerprints. When implementing these requirements, providers should consider the unique characteristics and limitations of different types of content, as well as current technological and market trends. These techniques can be applied at the level of the AI system or the AI model, including general-purpose AI models that generate content, making it easier for downstream providers to comply with these obligations.
as sex, age, hair colour, eye colour, tattoos, personal traits, ethnic origin, personal preferences and interests. Such information and notifications should be provided in accessible formats for persons with disabilities. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 33/144 (133) A variety of AI systems can generate large quantities of synthetic content that becomes increasingly hard for humans to distinguish from human-generated and authentic content. The wide availability and increasing capabilities of those systems have a significant impact on the integrity and trust in the information ecosystem, raising new risks of misinformation and manipulation at scale, fraud, impersonation and consumer deception. In light of those impacts, the fast technological pace and the need for new methods and techniques to trace origin of information, it is appropriate to require providers of those systems to embed technical solutions that enable marking in a machine readable format and detection that the output has been generated or manipulated by an AI system and not a human. Such techniques and methods should be sufficiently reliable, interoperable, effective and robust as far as this is technically feasible, taking into account available techniques or a combination of such techniques, such as watermarks, metadata identifications, cryptographic methods for proving provenance and authenticity of content, logging methods, fingerprints or other techniques, as may be appropriate. When implementing this obligation, providers should also take into account the specificities and the limitations of the different types of content and the relevant technological and market developments in the field, as reflected in the generally acknowledged state of the art. Such techniques and methods can be implemented at the level of the AI system or at the level of the AI model, including general-purpose AI models generating content, thereby facilitating fulfilment of this obligation by the downstream provider of the AI system.
Show original text
Techniques and methods can be applied either at the AI system level or the AI model level, including general-purpose AI models that create content. This helps the provider of the AI system meet their obligations. However, this marking requirement should not apply to AI systems that mainly assist with standard editing or those that do not significantly change the input data provided by the user. Additionally, if a deployer uses an AI system to create or alter images, audio, or video that closely resembles real people, objects, places, or events (known as deep fakes), they must clearly label the content to show it has been artificially created or manipulated. This transparency requirement does not limit the right to freedom of expression or the arts, especially when the content is clearly creative, satirical, artistic, fictional, or similar. In such cases, the obligation to disclose deep fakes is limited to informing viewers that the content is generated or manipulated, without interfering with the enjoyment or use of the work.
Such techniques and methods can be implemented at the level of the AI system or at the level of the AI model, including general-purpose AI models generating content, thereby facilitating fulfilment of this obligation by the downstream provider of the AI system. To remain proportionate, it is appropriate to envisage that this marking obligation should not cover AI systems performing primarily an assistive function for standard editing or AI systems not substantially altering the input data provided by the deployer or the semantics thereof. (134) Further to the technical solutions employed by the providers of the AI system, deployers who use an AI system to generate or manipulate image, audio or video content that appreciably resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful (deep fakes), should also clearly and distinguishably disclose that the content has been artificially created or manipulated by labelling the AI output accordingly and disclosing its artificial origin. Compliance with this transparency obligation should not be interpreted as indicating that the use of the AI system or its output impedes the right to freedom of expression and the right to freedom of the arts and sciences guaranteed in the Charter, in particular where the content is part of an evidently creative, satirical, artistic, fictional or analogous work or programme, subject to appropriate safeguards for the rights and freedoms of third parties. In those cases, the transparency obligation for deep fakes set out in this Regulation is limited to disclosure of the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work, including its normal exploitation and use, while maintaining the utility and quality of the work.
Show original text
Content that is generated or manipulated by AI must be disclosed in a way that does not interfere with how the work is displayed or enjoyed. This includes ensuring the work can still be used effectively and maintains its quality. Additionally, if AI-generated or manipulated text is published to inform the public about important issues, it should also be disclosed unless it has been reviewed by a human or has editorial oversight from a responsible person or organization. The Commission may promote the creation of codes of practice at the EU level to help implement these transparency obligations. This includes making detection and labeling of AI-generated content easier and encouraging cooperation among different stakeholders to ensure the public can recognize such content. Providers and users of certain AI systems must comply with regulations that require them to disclose when their outputs are artificially generated or manipulated. This is especially important for large online platforms and search engines, which need to identify and reduce risks associated with the spread of AI-generated content, particularly concerning its potential negative impact on democracy, public discussion, and elections, including the spread of misinformation.
limited to disclosure of the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work, including its normal exploitation and use, while maintaining the utility and quality of the work. In addition, it is also appropriate to envisage a similar disclosure obligation in relation to AI-generated or manipulated text to the extent it is published with the purpose of informing the public on matters of public interest unless the AI-generated content has undergone a process of human review or editorial control and a natural or legal person holds editorial responsibility for the publication of the content. (135) Without prejudice to the mandatory nature and full applicability of the transparency obligations, the Commission may also encourage and facilitate the drawing up of codes of practice at Union level to facilitate the effective implementation of the obligations regarding the detection and labelling of artificially generated or manipulated content, including to support practical arrangements for making, as appropriate, the detection mechanisms accessible and facilitating cooperation with other actors along the value chain, disseminating content or checking its authenticity and provenance to enable the public to effectively distinguish AI-generated content. (136) The obligations placed on providers and deployers of certain AI systems in this Regulation to enable the detection and disclosure that the outputs of those systems are artificially generated or manipulated are particularly relevant to facilitate the effective implementation of Regulation (EU) 2022/2065. This applies in particular as regards the obligations of providers of very large online platforms or very large online search engines to identify and mitigate systemic risks that may arise from the dissemination of content that has been artificially generated or manipulated, in particular the risk of the actual or foreseeable negative effects on democratic processes, civic discourse and electoral processes, including through disinformation.
Show original text
The goal is to reduce systemic risks that can come from sharing content that is created or altered by artificial intelligence (AI). This includes risks that could negatively impact democracy, public discussions, and elections, especially through misinformation. The requirement to label AI-generated content does not affect the obligations of hosting service providers under Article 16(6) of Regulation (EU) 2022/2065 to handle notices about illegal content as outlined in Article 16(1). The legality of specific content should be judged based solely on existing laws regarding content legality. Compliance with transparency requirements for AI systems under this Regulation does not imply that using the AI system or its results is legal under this Regulation or any other EU or national laws. It also does not affect other transparency obligations for AI system developers set by EU or national laws. AI technology is evolving quickly and needs regulatory oversight and a safe environment for testing. This ensures responsible innovation and the implementation of necessary safeguards. To create a legal framework that encourages innovation and can adapt to changes, Member States should ensure that their national authorities establish at least one AI regulatory sandbox. This sandbox will allow for the development and testing of new AI systems under strict regulatory supervision before they are released to the market or used.
mitigate systemic risks that may arise from the dissemination of content that has been artificially generated or manipulated, in particular the risk of the actual or foreseeable negative effects on democratic processes, civic discourse and electoral processes, including through disinformation. The requirement to label content generated by AI systems under this Regulation is without prejudice to the obligation in Article 16(6) of Regulation (EU) 2022/2065 for providers of hosting services to process notices on illegal content received pursuant to Article 16(1) of that Regulation and should not influence the assessment and the decision on the illegality of the specific content. That assessment should be performed solely with reference to the rules governing the legality of the content. EN OJ L, 12.7.2024 34/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (137) Compliance with the transparency obligations for the AI systems covered by this Regulation should not be interpreted as indicating that the use of the AI system or its output is lawful under this Regulation or other Union and Member State law and should be without prejudice to other transparency obligations for deployers of AI systems laid down in Union or national law. (138) AI is a rapidly developing family of technologies that requires regulatory oversight and a safe and controlled space for experimentation, while ensuring responsible innovation and integration of appropriate safeguards and risk mitigation measures. To ensure a legal framework that promotes innovation, is future-proof and resilient to disruption, Member States should ensure that their national competent authorities establish at least one AI regulatory sandbox at national level to facilitate the development and testing of innovative AI systems under strict regulatory oversight before these systems are placed on the market or otherwise put into service.
Show original text
Countries should make sure that their national authorities create at least one AI regulatory sandbox to help develop and test new AI systems under strict rules before these systems are sold or used. Member States can meet this requirement by joining existing sandboxes or by creating a joint sandbox with other Member States, as long as it provides similar coverage for all involved. AI regulatory sandboxes can be physical, digital, or a mix of both, and they should support both physical and digital products. The authorities setting up these sandboxes must ensure they have enough financial and human resources to operate effectively. The main goals of the AI regulatory sandboxes are to promote AI innovation by providing a controlled environment for testing during the development phase, ensuring that new AI systems comply with regulations and laws. Additionally, these sandboxes should help clarify legal issues for innovators and improve the understanding of AI's risks and impacts for authorities. This will aid in regulatory learning, support cooperation among involved authorities, and help remove barriers for small and medium-sized enterprises (SMEs) and start-ups to access markets. AI regulatory sandboxes should be accessible across the Union, with a focus on making them available for SMEs and start-ups. Participation in these sandboxes should address legal uncertainties that hinder innovation and experimentation with AI in the Union.
States should ensure that their national competent authorities establish at least one AI regulatory sandbox at national level to facilitate the development and testing of innovative AI systems under strict regulatory oversight before these systems are placed on the market or otherwise put into service. Member States could also fulfil this obligation through participating in already existing regulatory sandboxes or establishing jointly a sandbox with one or more Member States’ competent authorities, insofar as this participation provides equivalent level of national coverage for the participating Member States. AI regulatory sandboxes could be established in physical, digital or hybrid form and may accommodate physical as well as digital products. Establishing authorities should also ensure that the AI regulatory sandboxes have the adequate resources for their functioning, including financial and human resources. (139) The objectives of the AI regulatory sandboxes should be to foster AI innovation by establishing a controlled experimentation and testing environment in the development and pre-marketing phase with a view to ensuring compliance of the innovative AI systems with this Regulation and other relevant Union and national law. Moreover, the AI regulatory sandboxes should aim to enhance legal certainty for innovators and the competent authorities’ oversight and understanding of the opportunities, emerging risks and the impacts of AI use, to facilitate regulatory learning for authorities and undertakings, including with a view to future adaptions of the legal framework, to support cooperation and the sharing of best practices with the authorities involved in the AI regulatory sandbox, and to accelerate access to markets, including by removing barriers for SMEs, including start-ups. AI regulatory sandboxes should be widely available throughout the Union, and particular attention should be given to their accessibility for SMEs, including start-ups. The participation in the AI regulatory sandbox should focus on issues that raise legal uncertainty for providers and prospective providers to innovate, experiment with AI in the Union and contribute to evidence-based regulatory learning.
Show original text
The AI regulatory sandbox aims to improve accessibility for small and medium-sized enterprises (SMEs), including start-ups. Its focus is on addressing legal uncertainties that may hinder innovation and experimentation with AI in the European Union. The supervision of AI systems within this sandbox will include their development, training, testing, and validation before they are launched or used. Any significant changes to these systems may require a new assessment to ensure compliance. If major risks are found during development and testing, they must be addressed, or the development process may be halted. National authorities responsible for AI regulatory sandboxes should collaborate with other relevant organizations, such as those overseeing fundamental rights, and may involve various stakeholders in the AI ecosystem, including standardization bodies, testing facilities, research labs, and civil society organizations. To ensure consistent implementation across the EU and to achieve economies of scale, common rules for the operation of these sandboxes should be established, along with a framework for cooperation among the supervising authorities. The AI regulatory sandboxes created under this regulation do not interfere with other laws that allow for the creation of different sandboxes aimed at ensuring legal compliance. When appropriate, authorities managing these other sandboxes should consider using them to ensure AI systems comply with this regulation. With mutual agreement, real-world testing may also take place within the AI regulatory sandbox.
accessibility for SMEs, including start-ups. The participation in the AI regulatory sandbox should focus on issues that raise legal uncertainty for providers and prospective providers to innovate, experiment with AI in the Union and contribute to evidence-based regulatory learning. The supervision of the AI systems in the AI regulatory sandbox should therefore cover their development, training, testing and validation before the systems are placed on the market or put into service, as well as the notion and occurrence of substantial modification that may require a new conformity assessment procedure. Any significant risks identified during the development and testing of such AI systems should result in adequate mitigation and, failing that, in the suspension of the development and testing process. Where appropriate, national competent authorities establishing AI regulatory sandboxes should cooperate with other relevant authorities, including those supervising the protection of fundamental rights, and could allow for the involvement of other actors within the AI ecosystem such as national or European standardisation organisations, notified bodies, testing and experimentation facilities, research and experimentation labs, European Digital Innovation Hubs and relevant stakeholder and civil society organisations. To ensure uniform implementation across the Union and economies of scale, it is appropriate to establish common rules for the AI regulatory sandboxes’ implementation and a framework for cooperation between the relevant authorities involved in the supervision of the sandboxes. AI regulatory sandboxes established under this Regulation should be without prejudice to other law allowing for the establishment of other sandboxes aiming to ensure compliance with law other than this Regulation. Where appropriate, relevant competent authorities in charge of those other regulatory sandboxes should consider the benefits of using those sandboxes also for the purpose of ensuring compliance of AI systems with this Regulation. Upon agreement between the national competent authorities and the participants in the AI regulatory sandbox, testing in real world conditions may also be operated and supervised in the framework of the AI regulatory sandbox.
Show original text
This Regulation aims to ensure that AI systems comply with legal standards. If agreed upon by national authorities and participants in the AI regulatory sandbox, real-world testing can be conducted and monitored within this framework. The Regulation allows AI providers to use personal data collected for other purposes to develop certain AI systems that serve the public interest, but only under specific conditions outlined in existing EU regulations. All other obligations for data controllers and rights for data subjects under these regulations still apply. Notably, this Regulation does not provide a legal basis for certain automated decisions as specified in previous EU regulations. AI providers in the regulatory sandbox must implement appropriate safeguards and work closely with authorities. They should follow guidance and act quickly and in good faith to address any significant risks to safety, health, and fundamental rights that may arise during development, testing, and experimentation.
of ensuring compliance of AI systems with this Regulation. Upon agreement between the national competent authorities and the participants in the AI regulatory sandbox, testing in real world conditions may also be operated and supervised in the framework of the AI regulatory sandbox. (140) This Regulation should provide the legal basis for the providers and prospective providers in the AI regulatory sandbox to use personal data collected for other purposes for developing certain AI systems in the public interest within the AI regulatory sandbox, only under specified conditions, in accordance with Article 6(4) and Article 9(2), point (g), of Regulation (EU) 2016/679, and Articles 5, 6 and 10 of Regulation (EU) 2018/1725, and without prejudice to Article 4(2) and Article 10 of Directive (EU) 2016/680. All other obligations of data controllers and rights of data subjects under Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680 remain applicable. In particular, this Regulation should not provide a legal basis in the meaning of Article 22(2), point (b) of Regulation (EU) 2016/679 and Article 24(2), point (b) of Regulation (EU) 2018/1725. Providers and prospective OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 35/144 providers in the AI regulatory sandbox should ensure appropriate safeguards and cooperate with the competent authorities, including by following their guidance and acting expeditiously and in good faith to adequately mitigate any identified significant risks to safety, health, and fundamental rights that may arise during the development, testing and experimentation in that sandbox.
Show original text
Competent authorities must provide guidance and act quickly and in good faith to address any significant risks to safety, health, and fundamental rights that may arise during the development, testing, and experimentation of high-risk AI systems in a regulatory sandbox. To speed up the development and market introduction of these high-risk AI systems, providers can also test their systems in real-world conditions without being part of an AI regulatory sandbox. However, this testing must include proper safeguards to protect individuals. These safeguards include obtaining informed consent from participants, except in law enforcement situations where consent could hinder testing. It's important to note that consent for testing is separate from consent for processing personal data under data protection laws. To minimize risks and ensure oversight, prospective providers must submit a real-world testing plan to the relevant market surveillance authority, register their testing in specific sections of the EU database (with some exceptions), limit the duration of testing, provide additional protections for vulnerable groups, and establish a written agreement outlining the roles and responsibilities of all parties involved in the testing.
competent authorities, including by following their guidance and acting expeditiously and in good faith to adequately mitigate any identified significant risks to safety, health, and fundamental rights that may arise during the development, testing and experimentation in that sandbox. (141) In order to accelerate the process of development and the placing on the market of the high-risk AI systems listed in an annex to this Regulation, it is important that providers or prospective providers of such systems may also benefit from a specific regime for testing those systems in real world conditions, without participating in an AI regulatory sandbox. However, in such cases, taking into account the possible consequences of such testing on individuals, it should be ensured that appropriate and sufficient guarantees and conditions are introduced by this Regulation for providers or prospective providers. Such guarantees should include, inter alia, requesting informed consent of natural persons to participate in testing in real world conditions, with the exception of law enforcement where the seeking of informed consent would prevent the AI system from being tested. Consent of subjects to participate in such testing under this Regulation is distinct from, and without prejudice to, consent of data subjects for the processing of their personal data under the relevant data protection law. It is also important to minimise the risks and enable oversight by competent authorities and therefore require prospective providers to have a real-world testing plan submitted to competent market surveillance authority, register the testing in dedicated sections in the EU database subject to some limited exceptions, set limitations on the period for which the testing can be done and require additional safeguards for persons belonging to certain vulnerable groups, as well as a written agreement defining the roles and responsibilities of prospective providers and deployers and effective oversight by competent personnel involved in the real world testing.
Show original text
Additional safeguards are needed for vulnerable groups during real-world testing of AI systems. This includes a written agreement that outlines the roles and responsibilities of those involved, as well as effective oversight by qualified personnel. It's important to ensure that any predictions or decisions made by the AI can be reversed and that personal data is protected. If participants withdraw their consent, their data must be deleted, in line with Union data protection laws. Data collected for testing should only be transferred to other countries if proper safeguards are in place, especially for personal data, following Union data protection regulations. To promote positive social and environmental outcomes from AI, Member States should support research and development of AI solutions that enhance accessibility for people with disabilities, address socio-economic inequalities, and help meet environmental goals. This support should include adequate funding and focus on projects that meet these objectives, encouraging collaboration among AI developers, experts in inequality and non-discrimination, and academics.
can be done and require additional safeguards for persons belonging to certain vulnerable groups, as well as a written agreement defining the roles and responsibilities of prospective providers and deployers and effective oversight by competent personnel involved in the real world testing. Furthermore, it is appropriate to envisage additional safeguards to ensure that the predictions, recommendations or decisions of the AI system can be effectively reversed and disregarded and that personal data is protected and is deleted when the subjects have withdrawn their consent to participate in the testing without prejudice to their rights as data subjects under the Union data protection law. As regards transfer of data, it is also appropriate to envisage that data collected and processed for the purpose of testing in real-world conditions should be transferred to third countries only where appropriate and applicable safeguards under Union law are implemented, in particular in accordance with bases for transfer of personal data under Union law on data protection, while for non-personal data appropriate safeguards are put in place in accordance with Union law, such as Regulations (EU) 2022/868 (42) and (EU) 2023/2854 (43) of the European Parliament and of the Council. (142) To ensure that AI leads to socially and environmentally beneficial outcomes, Member States are encouraged to support and promote research and development of AI solutions in support of socially and environmentally beneficial outcomes, such as AI-based solutions to increase accessibility for persons with disabilities, tackle socio-economic inequalities, or meet environmental targets, by allocating sufficient resources, including public and Union funding, and, where appropriate and provided that the eligibility and selection criteria are fulfilled, considering in particular projects which pursue such objectives. Such projects should be based on the principle of interdisciplinary cooperation between AI developers, experts on inequality and non-discrimination, accessibility, consumer, environmental, and digital rights, as well as academics.
Show original text
Projects aimed at addressing inequality and discrimination should involve collaboration among AI developers, experts in inequality, accessibility, consumer rights, environmental rights, digital rights, and academics. To support innovation, it's crucial to consider the needs of small and medium-sized enterprises (SMEs) and start-ups that provide or use AI systems. Member States should create initiatives to raise awareness and share information with these businesses. SMEs and start-ups with a registered office or branch in the EU should have priority access to AI regulatory sandboxes, as long as they meet the eligibility criteria. Other providers can also access these sandboxes if they meet the same conditions. Member States should establish effective communication channels to support SMEs and start-ups, helping them understand and implement regulations. These channels should collaborate to ensure consistent guidance. Additionally, Member States should encourage SME participation in standardization processes and address their specific needs.
ing in particular projects which pursue such objectives. Such projects should be based on the principle of interdisciplinary cooperation between AI developers, experts on inequality and non-discrimination, accessibility, consumer, environmental, and digital rights, as well as academics. (143) In order to promote and protect innovation, it is important that the interests of SMEs, including start-ups, that are providers or deployers of AI systems are taken into particular account. To that end, Member States should develop initiatives, which are targeted at those operators, including on awareness raising and information communication. Member States should provide SMEs, including start-ups, that have a registered office or a branch in the Union, with priority access to the AI regulatory sandboxes provided that they fulfil the eligibility conditions and selection criteria and without precluding other providers and prospective providers to access the sandboxes provided the same conditions and criteria are fulfilled. Member States should utilise existing channels and where appropriate, establish new dedicated channels for communication with SMEs, including start-ups, deployers, other innovators and, as appropriate, local public authorities, to support SMEs throughout their development path by providing guidance and responding to queries about the implementation of this Regulation. Where appropriate, these channels should work together to create synergies and ensure homogeneity in their guidance to SMEs, including start-ups, and deployers. Additionally, Member States should facilitate the participation of SMEs and other relevant stakeholders in the standardisation development processes. Moreover, the specific interests and needs of providers that are SMEs, EN OJ L, 12.7.
Show original text
Member States should help small and medium-sized enterprises (SMEs) and other important groups take part in the development of standards. They need to consider the specific needs of SMEs, including start-ups, when setting fees for conformity assessments. The European Commission should regularly evaluate the costs of certification and compliance for SMEs and work with Member States to reduce these costs. For instance, translation costs for required documents and communication with authorities can be a major expense for smaller providers. Member States should ensure that one of the accepted languages for documentation and communication is widely understood by as many cross-border operators as possible.
. Additionally, Member States should facilitate the participation of SMEs and other relevant stakeholders in the standardisation development processes. Moreover, the specific interests and needs of providers that are SMEs, EN OJ L, 12.7.2024 36/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (42) Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (OJ L 152, 3.6.2022, p. 1). (43) Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) (OJ L, 2023/2854, 22.12.2023, ELI: http://data.europa.eu/eli/reg/2023/2854/oj). including start-ups, should be taken into account when notified bodies set conformity assessment fees. The Commission should regularly assess the certification and compliance costs for SMEs, including start-ups, through transparent consultations and should work with Member States to lower such costs. For example, translation costs related to mandatory documentation and communication with authorities may constitute a significant cost for providers and other operators, in particular those of a smaller scale. Member States should possibly ensure that one of the languages determined and accepted by them for relevant providers’ documentation and for communication with operators is one which is broadly understood by the largest possible number of cross-border deployers.
Show original text
Member States should ensure that one of the languages they choose for important documents and communication with operators is widely understood by as many cross-border deployers as possible. To help small and medium-sized enterprises (SMEs), including start-ups, the Commission should provide standardized templates related to this Regulation when requested by the Board. Additionally, the Commission should support Member States by creating a single, user-friendly information platform about this Regulation for all providers and deployers. They should also run communication campaigns to raise awareness of the obligations under this Regulation and promote best practices in public procurement for AI systems. Medium-sized enterprises that were previously classified as small under the Commission Recommendation 2003/361/EC should also have access to these support measures, as they may lack the legal resources and training needed to understand and comply with this Regulation. To foster innovation, the AI-on-demand platform and relevant EU funding programs, like the Digital Europe Programme and Horizon Europe, should help achieve the goals of this Regulation. To reduce risks from a lack of knowledge in the market and to help providers, especially SMEs and start-ups, comply with their obligations, the AI-on-demand platform, European Digital Innovation Hubs, and testing facilities set up by the Commission and Member States should assist in implementing this Regulation.
those of a smaller scale. Member States should possibly ensure that one of the languages determined and accepted by them for relevant providers’ documentation and for communication with operators is one which is broadly understood by the largest possible number of cross-border deployers. In order to address the specific needs of SMEs, including start-ups, the Commission should provide standardised templates for the areas covered by this Regulation, upon request of the Board. Additionally, the Commission should complement Member States’ efforts by providing a single information platform with easy-to-use information with regards to this Regulation for all providers and deployers, by organising appropriate communication campaigns to raise awareness about the obligations arising from this Regulation, and by evaluating and promoting the convergence of best practices in public procurement procedures in relation to AI systems. Medium-sized enterprises which until recently qualified as small enterprises within the meaning of the Annex to Commission Recommendation 2003/361/EC (44) should have access to those support measures, as those new medium-sized enterprises may sometimes lack the legal resources and training necessary to ensure proper understanding of, and compliance with, this Regulation. (144) In order to promote and protect innovation, the AI-on-demand platform, all relevant Union funding programmes and projects, such as Digital Europe Programme, Horizon Europe, implemented by the Commission and the Member States at Union or national level should, as appropriate, contribute to the achievement of the objectives of this Regulation. (145) In order to minimise the risks to implementation resulting from lack of knowledge and expertise in the market as well as to facilitate compliance of providers, in particular SMEs, including start-ups, and notified bodies with their obligations under this Regulation, the AI-on-demand platform, the European Digital Innovation Hubs and the testing and experimentation facilities established by the Commission and the Member States at Union or national level should contribute to the implementation of this Regulation.
Show original text
The AI-on-demand platform, European Digital Innovation Hubs, and testing and experimentation facilities set up by the Commission and Member States are essential for implementing this Regulation. They can provide technical and scientific support to providers and notified bodies within their areas of expertise. To help small operators, particularly microenterprises, the Regulation allows them to meet one of the most expensive requirements—establishing a quality management system—in a simpler way. This approach reduces administrative burdens and costs without compromising safety and compliance for high-risk AI systems. The Commission will create guidelines to outline what microenterprises need to do for this simplified quality management system. The Commission should also help ensure that testing and experimentation facilities are accessible to accredited bodies, groups, or laboratories that assess conformity of products under relevant EU laws. This is especially important for expert panels and laboratories related to medical devices under Regulations (EU) 2017/745 and (EU) 2017/746. Finally, this Regulation aims to create a governance framework that coordinates and supports its application at the national level while building capabilities at the EU level and involving stakeholders in the AI field.
obligations under this Regulation, the AI-on-demand platform, the European Digital Innovation Hubs and the testing and experimentation facilities established by the Commission and the Member States at Union or national level should contribute to the implementation of this Regulation. Within their respective mission and fields of competence, the AI-on-demand platform, the European Digital Innovation Hubs and the testing and experimentation Facilities are able to provide in particular technical and scientific support to providers and notified bodies. (146) Moreover, in light of the very small size of some operators and in order to ensure proportionality regarding costs of innovation, it is appropriate to allow microenterprises to fulfil one of the most costly obligations, namely to establish a quality management system, in a simplified manner which would reduce the administrative burden and the costs for those enterprises without affecting the level of protection and the need for compliance with the requirements for high-risk AI systems. The Commission should develop guidelines to specify the elements of the quality management system to be fulfilled in this simplified manner by microenterprises. (147) It is appropriate that the Commission facilitates, to the extent possible, access to testing and experimentation facilities to bodies, groups or laboratories established or accredited pursuant to any relevant Union harmonisation legislation and which fulfil tasks in the context of conformity assessment of products or devices covered by that Union harmonisation legislation. This is, in particular, the case as regards expert panels, expert laboratories and reference laboratories in the field of medical devices pursuant to Regulations (EU) 2017/745 and (EU) 2017/746. (148) This Regulation should establish a governance framework that both allows to coordinate and support the application of this Regulation at national level, as well as build capabilities at Union level and integrate stakeholders in the field of AI.
Show original text
The regulation 2017/746 aims to create a governance framework that coordinates and supports the application of AI regulations at the national level while building expertise at the Union level and involving stakeholders. To effectively implement and enforce this regulation, a governance framework is needed to centralize expertise. The AI Office, established by a Commission Decision, is responsible for developing expertise and capabilities in AI and ensuring compliance with Union law on AI. Member States are encouraged to assist the AI Office in enhancing Union expertise and capabilities to improve the digital single market. Additionally, a Board with representatives from Member States, a scientific panel to include the scientific community, and an advisory forum for stakeholder input will be created to aid in the regulation's implementation at both Union and national levels. The development of Union expertise will also leverage existing resources and expertise, particularly through collaborations with other Union enforcement structures and related initiatives like the EuroHPC Joint Undertaking and AI testing facilities under the Digital Europe Programme.
2017/746. (148) This Regulation should establish a governance framework that both allows to coordinate and support the application of this Regulation at national level, as well as build capabilities at Union level and integrate stakeholders in the field of AI. The effective implementation and enforcement of this Regulation require a governance framework that allows to coordinate and build up central expertise at Union level. The AI Office was established by Commission Decision (45) and has as its mission to develop Union expertise and capabilities in the field of AI and to contribute to the implementation of Union law on AI. Member States should facilitate the tasks of the AI Office with a view to support the development of Union expertise and capabilities at Union level and to strengthen the functioning of the digital single market. Furthermore, a Board composed of representatives of the Member States, a scientific panel to integrate the scientific community and an advisory forum to contribute stakeholder input to the implementation of this Regulation, at Union and national level, should be established. The development of Union expertise and OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 37/144 (44) Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36). (45) Commission Decision of 24.1.2024 establishing the European Artificial Intelligence Office C(2024) 390. capabilities should also include making use of existing resources and expertise, in particular through synergies with structures built up in the context of the Union level enforcement of other law and synergies with related initiatives at Union level, such as the EuroHPC Joint Undertaking and the AI testing and experimentation facilities under the Digital Europe Programme.
Show original text
To ensure the effective and consistent implementation of this Regulation, a Board will be created. This Board will represent various interests within the AI ecosystem and will include representatives from Member States. Its main responsibilities will include providing opinions, recommendations, and guidance on the Regulation's implementation, enforcement, technical specifications, and existing standards. The representatives can be any qualified individuals from public entities who can help coordinate at the national level. Additionally, the Board will form two permanent sub-groups to facilitate cooperation among market surveillance authorities and notified bodies. The market surveillance sub-group will function as the administrative cooperation group (ADCO) as defined in Article 30 of Regulation (EU) 2019/1020. The Commission will assist this sub-group by conducting market evaluations to identify areas needing urgent coordination among market surveillance authorities. The Board may also create other sub-groups as needed to address specific issues.
with structures built up in the context of the Union level enforcement of other law and synergies with related initiatives at Union level, such as the EuroHPC Joint Undertaking and the AI testing and experimentation facilities under the Digital Europe Programme. (149) In order to facilitate a smooth, effective and harmonised implementation of this Regulation a Board should be established. The Board should reflect the various interests of the AI eco-system and be composed of representatives of the Member States. The Board should be responsible for a number of advisory tasks, including issuing opinions, recommendations, advice or contributing to guidance on matters related to the implementation of this Regulation, including on enforcement matters, technical specifications or existing standards regarding the requirements established in this Regulation and providing advice to the Commission and the Member States and their national competent authorities on specific questions related to AI. In order to give some flexibility to Member States in the designation of their representatives in the Board, such representatives may be any persons belonging to public entities who should have the relevant competences and powers to facilitate coordination at national level and contribute to the achievement of the Board’s tasks. The Board should establish two standing sub-groups to provide a platform for cooperation and exchange among market surveillance authorities and notifying authorities on issues related, respectively, to market surveillance and notified bodies. The standing subgroup for market surveillance should act as the administrative cooperation group (ADCO) for this Regulation within the meaning of Article 30 of Regulation (EU) 2019/1020. In accordance with Article 33 of that Regulation, the Commission should support the activities of the standing subgroup for market surveillance by undertaking market evaluations or studies, in particular with a view to identifying aspects of this Regulation requiring specific and urgent coordination among market surveillance authorities. The Board may establish other standing or temporary sub-groups as appropriate for the purpose of examining specific issues.
Show original text
Market evaluations or studies will focus on identifying parts of this Regulation that need urgent coordination among market surveillance authorities. The Board can create additional permanent or temporary sub-groups to address specific issues. It should also collaborate with relevant Union bodies, expert groups, and networks related to Union law, especially those concerning data, digital products, and services. To involve stakeholders in implementing this Regulation, an advisory forum will be set up to provide advice and technical expertise to the Board and the Commission. This forum will ensure a balanced representation of both commercial and non-commercial interests, including industry, start-ups, SMEs, academia, civil society, and organizations like the Fundamental Rights Agency, ENISA, CEN, CENELEC, and ETSI. To aid in the implementation and enforcement of this Regulation, especially in monitoring general-purpose AI models, a scientific panel of independent experts will be formed. These experts will be chosen for their current scientific or technical knowledge in AI and will work impartially, maintaining confidentiality of any information they handle. Member States can also seek support from this panel of experts to strengthen their enforcement efforts.
market evaluations or studies, in particular with a view to identifying aspects of this Regulation requiring specific and urgent coordination among market surveillance authorities. The Board may establish other standing or temporary sub-groups as appropriate for the purpose of examining specific issues. The Board should also cooperate, as appropriate, with relevant Union bodies, experts groups and networks active in the context of relevant Union law, including in particular those active under relevant Union law on data, digital products and services. (150) With a view to ensuring the involvement of stakeholders in the implementation and application of this Regulation, an advisory forum should be established to advise and provide technical expertise to the Board and the Commission. To ensure a varied and balanced stakeholder representation between commercial and non-commercial interest and, within the category of commercial interests, with regards to SMEs and other undertakings, the advisory forum should comprise inter alia industry, start-ups, SMEs, academia, civil society, including the social partners, as well as the Fundamental Rights Agency, ENISA, the European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC) and the European Telecommunications Standards Institute (ETSI). (151) To support the implementation and enforcement of this Regulation, in particular the monitoring activities of the AI Office as regards general-purpose AI models, a scientific panel of independent experts should be established. The independent experts constituting the scientific panel should be selected on the basis of up-to-date scientific or technical expertise in the field of AI and should perform their tasks with impartiality, objectivity and ensure the confidentiality of information and data obtained in carrying out their tasks and activities. To allow the reinforcement of national capacities necessary for the effective enforcement of this Regulation, Member States should be able to request support from the pool of experts constituting the scientific panel for their enforcement activities.
Show original text
To effectively enforce this Regulation, Member States can request help from a group of experts known as the scientific panel. Additionally, to support the enforcement of AI systems, the Union will create AI testing support structures for Member States. Each Member State plays a crucial role in applying and enforcing this Regulation. They must appoint at least one notifying authority and one market surveillance authority as their national competent authorities to oversee the Regulation's implementation. Member States can choose any public entity to fulfill these roles based on their specific needs. To improve efficiency and provide a single point of contact for the public and other entities, each Member State should designate a market surveillance authority for this purpose. The national competent authorities must operate independently and fairly, ensuring objectivity in their work. Their members must avoid any actions that conflict with their responsibilities and adhere to confidentiality rules outlined in this Regulation.
obtained in carrying out their tasks and activities. To allow the reinforcement of national capacities necessary for the effective enforcement of this Regulation, Member States should be able to request support from the pool of experts constituting the scientific panel for their enforcement activities. (152) In order to support adequate enforcement as regards AI systems and reinforce the capacities of the Member States, Union AI testing support structures should be established and made available to the Member States. (153) Member States hold a key role in the application and enforcement of this Regulation. In that respect, each Member State should designate at least one notifying authority and at least one market surveillance authority as national competent authorities for the purpose of supervising the application and implementation of this Regulation. Member States may decide to appoint any kind of public entity to perform the tasks of the national competent authorities within the meaning of this Regulation, in accordance with their specific national organisational characteristics and needs. In order to increase organisation efficiency on the side of Member States and to set a single point of contact vis-à-vis the public and other counterparts at Member State and Union levels, each Member State should designate a market surveillance authority to act as a single point of contact. EN OJ L, 12.7.2024 38/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (154) The national competent authorities should exercise their powers independently, impartially and without bias, so as to safeguard the principles of objectivity of their activities and tasks and to ensure the application and implementation of this Regulation. The members of these authorities should refrain from any action incompatible with their duties and should be subject to confidentiality rules under this Regulation.
Show original text
To maintain objectivity in their work and ensure compliance with this Regulation, members of these authorities must avoid actions that conflict with their responsibilities and adhere to confidentiality rules. To help providers of high-risk AI systems improve their products and respond quickly to issues, they must implement a post-market monitoring system. This system should analyze how their AI interacts with other AI systems, devices, and software, but it should not include sensitive operational data from law enforcement agencies. This monitoring is crucial for addressing risks from AI systems that continue to learn after being released. Additionally, providers must report serious incidents caused by their AI systems to the relevant authorities. Serious incidents include those resulting in death or severe health issues, major disruptions to critical infrastructure, violations of laws protecting fundamental rights, or significant damage to property or the environment. To effectively enforce the requirements of this Regulation, the market surveillance and compliance system established by Regulation (EU) 2019/1020 will be fully applied. Market surveillance authorities designated under this Regulation will have all the enforcement powers outlined in both this Regulation and Regulation (EU) 2019/1020, and they must carry out their duties independently and impartially.
to safeguard the principles of objectivity of their activities and tasks and to ensure the application and implementation of this Regulation. The members of these authorities should refrain from any action incompatible with their duties and should be subject to confidentiality rules under this Regulation. (155) In order to ensure that providers of high-risk AI systems can take into account the experience on the use of high-risk AI systems for improving their systems and the design and development process or can take any possible corrective action in a timely manner, all providers should have a post-market monitoring system in place. Where relevant, post-market monitoring should include an analysis of the interaction with other AI systems including other devices and software. Post-market monitoring should not cover sensitive operational data of deployers which are law enforcement authorities. This system is also key to ensure that the possible risks emerging from AI systems which continue to ‘learn’ after being placed on the market or put into service can be more efficiently and timely addressed. In this context, providers should also be required to have a system in place to report to the relevant authorities any serious incidents resulting from the use of their AI systems, meaning incident or malfunctioning leading to death or serious damage to health, serious and irreversible disruption of the management and operation of critical infrastructure, infringements of obligations under Union law intended to protect fundamental rights or serious damage to property or the environment. (156) In order to ensure an appropriate and effective enforcement of the requirements and obligations set out by this Regulation, which is Union harmonisation legislation, the system of market surveillance and compliance of products established by Regulation (EU) 2019/1020 should apply in its entirety. Market surveillance authorities designated pursuant to this Regulation should have all enforcement powers laid down in this Regulation and in Regulation (EU) 2019/1020 and should exercise their powers and carry out their duties independently, impartially and without bias.
Show original text
Surveillance authorities designated under this Regulation must have all the enforcement powers specified in this Regulation and in Regulation (EU) 2019/1020. They should perform their duties independently, impartially, and without bias. While most AI systems do not have specific requirements under this Regulation, market surveillance authorities can take action against any AI systems that pose a risk according to this Regulation. Given the unique nature of Union institutions, agencies, and bodies covered by this Regulation, the European Data Protection Supervisor is designated as a competent market surveillance authority for them. This does not affect the designation of national authorities by Member States. Market surveillance activities should not hinder the ability of supervised entities to perform their tasks independently when required by Union law. This Regulation does not interfere with the roles, responsibilities, powers, and independence of national public authorities or bodies that oversee the application of Union law protecting fundamental rights, including equality bodies and data protection authorities. These national authorities should have access to any documents created under this Regulation as needed for their work. A specific procedure should be established to ensure timely enforcement against AI systems that pose risks to health, safety, and fundamental rights. This procedure applies to high-risk AI systems, prohibited systems that have been improperly marketed or used, and AI systems that violate transparency requirements and present risks.
surveillance authorities designated pursuant to this Regulation should have all enforcement powers laid down in this Regulation and in Regulation (EU) 2019/1020 and should exercise their powers and carry out their duties independently, impartially and without bias. Although the majority of AI systems are not subject to specific requirements and obligations under this Regulation, market surveillance authorities may take measures in relation to all AI systems when they present a risk in accordance with this Regulation. Due to the specific nature of Union institutions, agencies and bodies falling within the scope of this Regulation, it is appropriate to designate the European Data Protection Supervisor as a competent market surveillance authority for them. This should be without prejudice to the designation of national competent authorities by the Member States. Market surveillance activities should not affect the ability of the supervised entities to carry out their tasks independently, when such independence is required by Union law. (157) This Regulation is without prejudice to the competences, tasks, powers and independence of relevant national public authorities or bodies which supervise the application of Union law protecting fundamental rights, including equality bodies and data protection authorities. Where necessary for their mandate, those national public authorities or bodies should also have access to any documentation created under this Regulation. A specific safeguard procedure should be set for ensuring adequate and timely enforcement against AI systems presenting a risk to health, safety and fundamental rights. The procedure for such AI systems presenting a risk should be applied to high-risk AI systems presenting a risk, prohibited systems which have been placed on the market, put into service or used in violation of the prohibited practices laid down in this Regulation and AI systems which have been made available in violation of the transparency requirements laid down in this Regulation and present a risk.
Show original text
This regulation prohibits the marketing, use, or service of AI systems that violate certain practices or transparency requirements and pose risks. Union financial services law includes rules for internal governance and risk management that apply to regulated financial institutions when they provide services, including those that use AI systems. To ensure consistent application and enforcement of this regulation and related financial services laws, the relevant authorities, as defined in Regulation (EU) No 575/2013 and Directives 2008/48/EC and 2009/138/EC, will oversee compliance.
which have been placed on the market, put into service or used in violation of the prohibited practices laid down in this Regulation and AI systems which have been made available in violation of the transparency requirements laid down in this Regulation and present a risk. (158) Union financial services law includes internal governance and risk-management rules and requirements which are applicable to regulated financial institutions in the course of provision of those services, including when they make use of AI systems. In order to ensure coherent application and enforcement of the obligations under this Regulation and relevant rules and requirements of the Union financial services legal acts, the competent authorities for the supervision and enforcement of those legal acts, in particular competent authorities as defined in Regulation (EU) No 575/2013 of the European Parliament and of the Council (46) and Directives 2008/48/EC (47), 2009/138/EC (48), OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 39/144 (46) Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). (47) Directive 2008/48/EC of the European Parliament and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66).
Show original text
The Council issued a directive on April 23, 2008, regarding credit agreements for consumers, which replaced the previous Council Directive 87/102/EEC. This was published in the Official Journal on May 22, 2008. Additionally, Directive 2009/138/EC, adopted by the European Parliament and Council on November 25, 2009, pertains to the insurance and reinsurance business (known as Solvency II) and was published in the Official Journal on December 17, 2009. Directives 2013/36/EU, 2014/17/EU, and (EU) 2016/97 designate specific authorities to supervise the implementation of this Regulation, particularly concerning AI systems used by regulated financial institutions. Member States may choose to appoint different authorities for these market surveillance tasks. These designated authorities will have the necessary powers to enforce the Regulation's requirements, including conducting market surveillance activities that align with existing supervisory frameworks under EU financial services law. When acting as market surveillance authorities, national authorities overseeing credit institutions under Directive 2013/36/EU, which are part of the Single Supervisory Mechanism established by Council Regulation (EU) No 1024/2013, must promptly report any relevant findings from their market surveillance to the European Central Bank.
and of the Council of 23 April 2008 on credit agreements for consumers and repealing Council Directive 87/102/EEC (OJ L 133, 22.5.2008, p. 66). (48) Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (OJ L 335, 17.12.2009, p. 1). 2013/36/EU (49), 2014/17/EU (50) and (EU) 2016/97 (51) of the European Parliament and of the Council, should be designated, within their respective competences, as competent authorities for the purpose of supervising the implementation of this Regulation, including for market surveillance activities, as regards AI systems provided or used by regulated and supervised financial institutions unless Member States decide to designate another authority to fulfil these market surveillance tasks. Those competent authorities should have all powers under this Regulation and Regulation (EU) 2019/1020 to enforce the requirements and obligations of this Regulation, including powers to carry our ex post market surveillance activities that can be integrated, as appropriate, into their existing supervisory mechanisms and procedures under the relevant Union financial services law. It is appropriate to envisage that, when acting as market surveillance authorities under this Regulation, the national authorities responsible for the supervision of credit institutions regulated under Directive 2013/36/EU, which are participating in the Single Supervisory Mechanism established by Council Regulation (EU) No 1024/2013 (52), should report, without delay, to the European Central Bank any information identified in the course of their market surveillance activities that may be of potential interest for the European Central Bank’s
Show original text
Regulation (EU) No 1024/2013 requires that any information found during market surveillance activities, which could be important for the European Central Bank's supervisory tasks, must be reported immediately to the European Central Bank. To improve consistency with the rules for credit institutions under Directive 2013/36/EU, some procedural obligations related to risk management, post-marketing monitoring, and documentation should be incorporated into the existing rules of Directive 2013/36/EU. To prevent overlaps, some exceptions should be allowed regarding the quality management systems of providers and the monitoring responsibilities of those using high-risk AI systems, as long as these apply to credit institutions under Directive 2013/36/EU. This same approach should also apply to insurance and re-insurance companies, insurance holding companies under Directive 2009/138/EC, insurance intermediaries under Directive (EU) 2016/97, and other financial institutions that must follow internal governance and process requirements according to EU financial services laws, ensuring fairness across the financial sector. Each market surveillance authority for high-risk AI systems in biometrics, as listed in an annex to this Regulation, should have strong investigative and corrective powers. This includes the ability to access all personal data being processed and any information needed to carry out their duties. These authorities should operate independently in exercising their powers.
Regulation (EU) No 1024/2013 (52), should report, without delay, to the European Central Bank any information identified in the course of their market surveillance activities that may be of potential interest for the European Central Bank’s prudential supervisory tasks as specified in that Regulation. To further enhance the consistency between this Regulation and the rules applicable to credit institutions regulated under Directive 2013/36/EU, it is also appropriate to integrate some of the providers’ procedural obligations in relation to risk management, post marketing monitoring and documentation into the existing obligations and procedures under Directive 2013/36/EU. In order to avoid overlaps, limited derogations should also be envisaged in relation to the quality management system of providers and the monitoring obligation placed on deployers of high-risk AI systems to the extent that these apply to credit institutions regulated by Directive 2013/36/EU. The same regime should apply to insurance and re-insurance undertakings and insurance holding companies under Directive 2009/138/EC and the insurance intermediaries under Directive (EU) 2016/97 and other types of financial institutions subject to requirements regarding internal governance, arrangements or processes established pursuant to the relevant Union financial services law to ensure consistency and equal treatment in the financial sector. (159) Each market surveillance authority for high-risk AI systems in the area of biometrics, as listed in an annex to this Regulation insofar as those systems are used for the purposes of law enforcement, migration, asylum and border control management, or the administration of justice and democratic processes, should have effective investigative and corrective powers, including at least the power to obtain access to all personal data that are being processed and to all information necessary for the performance of its tasks. The market surveillance authorities should be able to exercise their powers by acting with complete independence.
Show original text
Market surveillance authorities must have the power to access all personal data being processed and any information needed to perform their duties. They should operate independently, and any restrictions on their access to sensitive operational data under this Regulation should not affect their powers granted by Directive (EU) 2016/680. Additionally, any limitations on sharing data with national data protection authorities should not impact their current or future powers outside this Regulation. Market surveillance authorities and the Commission can propose joint activities, such as joint investigations, to ensure compliance, identify non-compliance, raise awareness, and provide guidance regarding this Regulation, especially for high-risk AI systems that pose serious risks across multiple Member States. These joint compliance activities should follow Article 9 of Regulation (EU) 2019/1020, with the AI Office offering coordination support. It is important to clarify the roles and responsibilities at both the Union and national levels for AI systems based on general-purpose AI models. To prevent overlapping responsibilities, if an AI system is based on a general-purpose AI model provided by the same supplier, supervision should be streamlined.
corrective powers, including at least the power to obtain access to all personal data that are being processed and to all information necessary for the performance of its tasks. The market surveillance authorities should be able to exercise their powers by acting with complete independence. Any limitations of their access to sensitive operational data under this Regulation should be without prejudice to the powers conferred to them by Directive (EU) 2016/680. No exclusion on disclosing data to national data protection authorities under this Regulation should affect the current or future powers of those authorities beyond the scope of this Regulation. (160) The market surveillance authorities and the Commission should be able to propose joint activities, including joint investigations, to be conducted by market surveillance authorities or market surveillance authorities jointly with the Commission, that have the aim of promoting compliance, identifying non-compliance, raising awareness and providing guidance in relation to this Regulation with respect to specific categories of high-risk AI systems that are found to present a serious risk across two or more Member States. Joint activities to promote compliance should be carried out in accordance with Article 9 of Regulation (EU) 2019/1020. The AI Office should provide coordination support for joint investigations. (161) It is necessary to clarify the responsibilities and competences at Union and national level as regards AI systems that are built on general-purpose AI models. To avoid overlapping competences, where an AI system is based on a general-purpose AI model and the model and system are provided by the same provider, the supervision should EN OJ L, 12.7.
Show original text
To prevent overlapping responsibilities, when an AI system uses a general-purpose AI model from the same provider, supervision should be implemented. This is in accordance with various directives and regulations, including: 1. Directive 2013/36/EU from the European Parliament and Council, dated June 26, 2013, which addresses access to credit institutions and their supervision, while amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC. 2. Directive 2014/17/EU from the European Parliament and Council, dated February 4, 2014, which focuses on credit agreements for consumers related to residential property, amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010. 3. Directive (EU) 2016/97 from the European Parliament and Council, dated January 20, 2016, concerning insurance distribution. 4. Council Regulation (EU) No 1024/2013, dated October 15, 2013, which assigns specific tasks to the European Central Bank regarding the prudential supervision of credit institutions.
-purpose AI models. To avoid overlapping competences, where an AI system is based on a general-purpose AI model and the model and system are provided by the same provider, the supervision should EN OJ L, 12.7.2024 40/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (49) Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). (50) Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010 (OJ L 60, 28.2.2014, p. 34). (51) Directive (EU) 2016/97 of the European Parliament and of the Council of 20 January 2016 on insurance distribution (OJ L 26, 2.2.2016, p. 19). (52) Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63).
Show original text
On 15 October 2013, specific tasks were assigned to the European Central Bank regarding the prudential supervision of credit institutions (Official Journal L 287, 29.10.2013, p. 63). At the Union level, the AI Office will act as a market surveillance authority as defined by Regulation (EU) 2019/1020. National market surveillance authorities will still oversee AI systems in most cases. However, for general-purpose AI systems that can be used for at least one high-risk purpose, these authorities must work with the AI Office to evaluate compliance and inform the Board and other authorities. If a market surveillance authority cannot complete an investigation on a high-risk AI system due to lack of access to information about the general-purpose AI model it is based on, they can request help from the AI Office. In such situations, the mutual assistance procedures outlined in Chapter VI of Regulation (EU) 2019/1020 will apply. To effectively utilize Union expertise, the Commission should have the authority to supervise and enforce obligations on providers of general-purpose AI models. The AI Office will monitor the implementation of this Regulation regarding these models and can investigate potential violations either on its own or at the request of market surveillance authorities, as specified in this Regulation.
of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (OJ L 287, 29.10.2013, p. 63). take place at Union level through the AI Office, which should have the powers of a market surveillance authority within the meaning of Regulation (EU) 2019/1020 for this purpose. In all other cases, national market surveillance authorities remain responsible for the supervision of AI systems. However, for general-purpose AI systems that can be used directly by deployers for at least one purpose that is classified as high-risk, market surveillance authorities should cooperate with the AI Office to carry out evaluations of compliance and inform the Board and other market surveillance authorities accordingly. Furthermore, market surveillance authorities should be able to request assistance from the AI Office where the market surveillance authority is unable to conclude an investigation on a high-risk AI system because of its inability to access certain information related to the general-purpose AI model on which the high-risk AI system is built. In such cases, the procedure regarding mutual assistance in cross-border cases in Chapter VI of Regulation (EU) 2019/1020 should apply mutatis mutandis. (162) To make best use of the centralised Union expertise and synergies at Union level, the powers of supervision and enforcement of the obligations on providers of general-purpose AI models should be a competence of the Commission. The AI Office should be able to carry out all necessary actions to monitor the effective implementation of this Regulation as regards general-purpose AI models. It should be able to investigate possible infringements of the rules on providers of general-purpose AI models both on its own initiative, following the results of its monitoring activities, or upon request from market surveillance authorities in line with the conditions set out in this Regulation.
Show original text
The AI Office can investigate potential violations of rules regarding general-purpose AI model providers. This can happen on its own initiative, based on monitoring results, or at the request of market surveillance authorities, as outlined in the Regulation. To enhance monitoring, downstream providers can file complaints about possible rule violations. To strengthen the governance of general-purpose AI models, a scientific panel will assist the AI Office in monitoring activities. In certain situations, the panel can alert the AI Office if it suspects that a general-purpose AI model poses a specific risk at the Union level or if it meets criteria for being classified as a systemic risk model. The panel can request the Commission to obtain necessary documentation or information from providers to perform its duties. The AI Office is responsible for ensuring that providers of general-purpose AI models comply with the obligations set by this Regulation. It can investigate potential violations by requesting documentation, conducting evaluations, and asking providers to take specific actions. To ensure thorough evaluations, the AI Office can engage independent experts to assist in this process.
possible infringements of the rules on providers of general-purpose AI models both on its own initiative, following the results of its monitoring activities, or upon request from market surveillance authorities in line with the conditions set out in this Regulation. To support effective monitoring of the AI Office, it should provide for the possibility that downstream providers lodge complaints about possible infringements of the rules on providers of general-purpose AI models and systems. (163) With a view to complementing the governance systems for general-purpose AI models, the scientific panel should support the monitoring activities of the AI Office and may, in certain cases, provide qualified alerts to the AI Office which trigger follow-ups, such as investigations. This should be the case where the scientific panel has reason to suspect that a general-purpose AI model poses a concrete and identifiable risk at Union level. Furthermore, this should be the case where the scientific panel has reason to suspect that a general-purpose AI model meets the criteria that would lead to a classification as general-purpose AI model with systemic risk. To equip the scientific panel with the information necessary for the performance of those tasks, there should be a mechanism whereby the scientific panel can request the Commission to require documentation or information from a provider. (164) The AI Office should be able to take the necessary actions to monitor the effective implementation of and compliance with the obligations for providers of general-purpose AI models laid down in this Regulation. The AI Office should be able to investigate possible infringements in accordance with the powers provided for in this Regulation, including by requesting documentation and information, by conducting evaluations, as well as by requesting measures from providers of general-purpose AI models. When conducting evaluations, in order to make use of independent expertise, the AI Office should be able to involve independent experts to carry out the evaluations on its behalf.
Show original text
The AI Office can request measures from providers of general-purpose AI models and involve independent experts for evaluations. Compliance with obligations can be enforced through requests for appropriate actions, such as risk mitigation for identified systemic risks, or by restricting, withdrawing, or recalling the AI model. Additionally, providers of general-purpose AI models should have procedural rights as outlined in Article 18 of Regulation (EU) 2019/1020, which will apply similarly, without affecting more specific rights in this Regulation. Developing AI systems that are not classified as high-risk, according to this Regulation, may promote the use of ethical and trustworthy AI in the EU. Providers of non-high-risk AI systems should be encouraged to create codes of conduct and governance mechanisms to voluntarily adopt some or all mandatory requirements for high-risk AI systems, tailored to their lower risk and intended purpose, while considering available technical solutions and industry best practices like model and data cards. All providers and deployers of AI systems, whether high-risk or not, should also be encouraged to voluntarily follow additional requirements related to the EU’s Ethics Guidelines for Trustworthy AI.
well as by requesting measures from providers of general-purpose AI models. When conducting evaluations, in order to make use of independent expertise, the AI Office should be able to involve independent experts to carry out the evaluations on its behalf. Compliance with the obligations should be enforceable, inter alia, through requests to take appropriate measures, including risk mitigation measures in the case of identified systemic risks as well as restricting the making available on the market, withdrawing or recalling the model. As a safeguard, where needed beyond the procedural rights provided for in this Regulation, providers of general-purpose AI models should have the procedural rights provided for in Article 18 of Regulation (EU) 2019/1020, which should apply mutatis mutandis, without prejudice to more specific procedural rights provided for by this Regulation. (165) The development of AI systems other than high-risk AI systems in accordance with the requirements of this Regulation may lead to a larger uptake of ethical and trustworthy AI in the Union. Providers of AI systems that are not high-risk should be encouraged to create codes of conduct, including related governance mechanisms, intended to foster the voluntary application of some or all of the mandatory requirements applicable to high-risk AI systems, adapted in light of the intended purpose of the systems and the lower risk involved and taking into account the available technical solutions and industry best practices such as model and data cards. Providers and, as appropriate, deployers of all AI systems, high-risk or not, and AI models should also be encouraged to apply on a voluntary basis additional requirements related, for example, to the elements of the Union’s Ethics Guidelines for Trustworthy AI, OJ L, 12.7.
Show original text
AI models, whether high-risk or not, should voluntarily follow additional guidelines based on the Union’s Ethics Guidelines for Trustworthy AI. These guidelines include promoting environmental sustainability, improving AI literacy, and ensuring inclusive and diverse design and development of AI systems. This means paying attention to vulnerable groups and making systems accessible for people with disabilities. It is also important to involve various stakeholders, such as businesses, civil society organizations, academia, research institutions, trade unions, and consumer protection groups, in the design and development of AI systems. Diversity in development teams, including gender balance, is essential. To ensure that voluntary codes of conduct are effective, they should have clear goals and key performance indicators to measure success. The European Commission may create initiatives to reduce technical barriers that hinder cross-border data exchange for AI development, focusing on data access and interoperability. Additionally, AI systems that are not classified as high-risk must still be safe when marketed or used. Regulation (EU) 2023/988 will serve as a safety net for this purpose.
high-risk or not, and AI models should also be encouraged to apply on a voluntary basis additional requirements related, for example, to the elements of the Union’s Ethics Guidelines for Trustworthy AI, OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 41/144 environmental sustainability, AI literacy measures, inclusive and diverse design and development of AI systems, including attention to vulnerable persons and accessibility to persons with disability, stakeholders’ participation with the involvement, as appropriate, of relevant stakeholders such as business and civil society organisations, academia, research organisations, trade unions and consumer protection organisations in the design and development of AI systems, and diversity of the development teams, including gender balance. To ensure that the voluntary codes of conduct are effective, they should be based on clear objectives and key performance indicators to measure the achievement of those objectives. They should also be developed in an inclusive way, as appropriate, with the involvement of relevant stakeholders such as business and civil society organisations, academia, research organisations, trade unions and consumer protection organisation. The Commission may develop initiatives, including of a sectoral nature, to facilitate the lowering of technical barriers hindering cross-border exchange of data for AI development, including on data access infrastructure, semantic and technical interoperability of different types of data. (166) It is important that AI systems related to products that are not high-risk in accordance with this Regulation and thus are not required to comply with the requirements set out for high-risk AI systems are nevertheless safe when placed on the market or put into service. To contribute to this objective, Regulation (EU) 2023/988 of the European Parliament and of the Council (53) would apply as a safety net.
Show original text
Systems are considered safe when they are sold or used. To support this, Regulation (EU) 2023/988 from the European Parliament and Council acts as a safety measure. To ensure effective cooperation among authorities at both the EU and national levels, all parties involved must keep information and data confidential, following EU or national laws. They must protect intellectual property rights, confidential business information, trade secrets, public and national security, and the integrity of legal proceedings and classified information. Compliance with this Regulation can be enforced through penalties and other measures. Member States must ensure the Regulation is followed by establishing effective and proportionate penalties for violations, while respecting the principle of ne bis in idem (not being tried twice for the same offense). To standardize penalties, specific upper limits for administrative fines for certain violations will be set. When determining fines, Member States should consider the specific circumstances, including the nature and seriousness of the violation, its duration, its consequences, and the size of the provider, especially if it is a small or start-up business. The European Data Protection Supervisor can impose fines on EU institutions, agencies, and bodies covered by this Regulation.
systems are nevertheless safe when placed on the market or put into service. To contribute to this objective, Regulation (EU) 2023/988 of the European Parliament and of the Council (53) would apply as a safety net. (167) In order to ensure trustful and constructive cooperation of competent authorities on Union and national level, all parties involved in the application of this Regulation should respect the confidentiality of information and data obtained in carrying out their tasks, in accordance with Union or national law. They should carry out their tasks and activities in such a manner as to protect, in particular, intellectual property rights, confidential business information and trade secrets, the effective implementation of this Regulation, public and national security interests, the integrity of criminal and administrative proceedings, and the integrity of classified information. (168) Compliance with this Regulation should be enforceable by means of the imposition of penalties and other enforcement measures. Member States should take all necessary measures to ensure that the provisions of this Regulation are implemented, including by laying down effective, proportionate and dissuasive penalties for their infringement, and to respect the ne bis in idem principle. In order to strengthen and harmonise administrative penalties for infringement of this Regulation, the upper limits for setting the administrative fines for certain specific infringements should be laid down. When assessing the amount of the fines, Member States should, in each individual case, take into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and to the size of the provider, in particular if the provider is an SME, including a start-up. The European Data Protection Supervisor should have the power to impose fines on Union institutions, agencies and bodies falling within the scope of this Regulation.
Show original text
The size of the provider matters, especially if it is a small or medium-sized enterprise (SME) or a start-up. The European Data Protection Supervisor should be able to impose fines on EU institutions, agencies, and bodies under this Regulation. Compliance with the rules for providers of general-purpose AI models should be enforceable through fines. There should be specific fine amounts for not following these rules, including not complying with requests from the Commission, while ensuring that these fines are fair and proportional. All decisions made by the Commission under this Regulation can be reviewed by the Court of Justice of the European Union, which has the authority to impose penalties as outlined in Article 261 of the TFEU. Existing EU and national laws already offer effective remedies for individuals and organizations whose rights are negatively impacted by AI systems. In addition to these remedies, anyone who believes their rights have been violated by this Regulation can file a complaint with the appropriate market surveillance authority. Individuals affected by decisions based on outputs from certain high-risk AI systems should have the right to receive an explanation, especially if those decisions have significant legal effects or negatively impact them.
the size of the provider, in particular if the provider is an SME, including a start-up. The European Data Protection Supervisor should have the power to impose fines on Union institutions, agencies and bodies falling within the scope of this Regulation. (169) Compliance with the obligations on providers of general-purpose AI models imposed under this Regulation should be enforceable, inter alia, by means of fines. To that end, appropriate levels of fines should also be laid down for infringement of those obligations, including the failure to comply with measures requested by the Commission in accordance with this Regulation, subject to appropriate limitation periods in accordance with the principle of proportionality. All decisions taken by the Commission under this Regulation are subject to review by the Court of Justice of the European Union in accordance with the TFEU, including the unlimited jurisdiction of the Court of Justice with regard to penalties pursuant to Article 261 TFEU. (170) Union and national law already provide effective remedies to natural and legal persons whose rights and freedoms are adversely affected by the use of AI systems. Without prejudice to those remedies, any natural or legal person that has grounds to consider that there has been an infringement of this Regulation should be entitled to lodge a complaint to the relevant market surveillance authority. (171) Affected persons should have the right to obtain an explanation where a deployer’s decision is based mainly upon the output from certain high-risk AI systems that fall within the scope of this Regulation and where that decision produces legal effects or similarly significantly affects those persons in a way that they consider to have an adverse EN OJ L, 12.7.
Show original text
Certain high-risk AI systems covered by this Regulation must provide clear explanations when their decisions have legal effects or significantly impact individuals in ways they view as harmful to their health, safety, or fundamental rights. This explanation should help affected individuals understand their rights. However, the right to an explanation does not apply to AI systems that are exempt or restricted by Union or national law, and it only applies if this right is not already established by Union law. Additionally, whistleblowers who report violations of this Regulation should be protected under Union law, specifically under Directive (EU) 2019/1937, which safeguards those reporting such violations.
certain high-risk AI systems that fall within the scope of this Regulation and where that decision produces legal effects or similarly significantly affects those persons in a way that they consider to have an adverse EN OJ L, 12.7.2024 42/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (53) Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety, amending Regulation (EU) No 1025/2012 of the European Parliament and of the Council and Directive (EU) 2020/1828 of the European Parliament and the Council, and repealing Directive 2001/95/EC of the European Parliament and of the Council and Council Directive 87/357/EEC (OJ L 135, 23.5.2023, p. 1). impact on their health, safety or fundamental rights. That explanation should be clear and meaningful and should provide a basis on which the affected persons are able to exercise their rights. The right to obtain an explanation should not apply to the use of AI systems for which exceptions or restrictions follow from Union or national law and should apply only to the extent this right is not already provided for under Union law. (172) Persons acting as whistleblowers on the infringements of this Regulation should be protected under the Union law. Directive (EU) 2019/1937 of the European Parliament and of the Council (54) should therefore apply to the reporting of infringements of this Regulation and the protection of persons reporting such infringements.
Show original text
Under Union law, Directive (EU) 2019/1937 from the European Parliament and Council applies to reporting violations of this Regulation and protecting those who report such violations. To ensure the regulatory framework can be updated as needed, the Commission is given the authority to make changes regarding which AI systems are classified as high-risk, the list of high-risk AI systems, technical documentation requirements, the EU declaration of conformity, and conformity assessment procedures. This includes setting thresholds, benchmarks, and indicators for classifying general-purpose AI models with systemic risk, as well as criteria for designating these models and providing necessary technical documentation and transparency information. It is crucial that the Commission consults appropriately during this process, including engaging with experts, and follows the principles of the Interinstitutional Agreement on Better Law-Making from April 13, 2016. To ensure equal participation, the European Parliament and the Council should receive all relevant documents simultaneously with Member States’ experts, and their experts should have access to Commission expert group meetings related to these delegated acts.
under the Union law. Directive (EU) 2019/1937 of the European Parliament and of the Council (54) should therefore apply to the reporting of infringements of this Regulation and the protection of persons reporting such infringements. (173) In order to ensure that the regulatory framework can be adapted where necessary, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to amend the conditions under which an AI system is not to be considered to be high-risk, the list of high-risk AI systems, the provisions regarding technical documentation, the content of the EU declaration of conformity the provisions regarding the conformity assessment procedures, the provisions establishing the high-risk AI systems to which the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation should apply, the threshold, benchmarks and indicators, including by supplementing those benchmarks and indicators, in the rules for the classification of general-purpose AI models with systemic risk, the criteria for the designation of general-purpose AI models with systemic risk, the technical documentation for providers of general-purpose AI models and the transparency information for providers of general-purpose AI models. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (55). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
Show original text
When preparing delegated acts, the European Parliament and the Council receive all documents simultaneously with experts from Member States. These experts also have regular access to meetings of Commission expert groups involved in preparing these acts. Due to rapid technological advancements and the expertise needed to effectively implement this Regulation, the Commission must evaluate and review it by August 2, 2029, and every four years after that, reporting to the European Parliament and the Council. Additionally, the Commission should assess annually whether to update the list of high-risk AI systems and prohibited practices. By August 2, 2028, and every four years thereafter, the Commission must evaluate and report on the need to amend the list of high-risk areas, the AI systems subject to transparency obligations, the effectiveness of supervision and governance, and progress on developing standards for energy-efficient general-purpose AI models, including any further necessary actions. Furthermore, by August 2, 2028, and every three years thereafter, the Commission should assess the impact and effectiveness of voluntary codes of conduct aimed at promoting compliance with requirements for high-risk AI systems, as well as any additional requirements for other AI systems. To ensure consistent implementation of this Regulation, the Commission will be granted implementing powers, which will be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council.
the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. (174) Given the rapid technological developments and the technical expertise required to effectively apply this Regulation, the Commission should evaluate and review this Regulation by 2 August 2029 and every four years thereafter and report to the European Parliament and the Council. In addition, taking into account the implications for the scope of this Regulation, the Commission should carry out an assessment of the need to amend the list of high-risk AI systems and the list of prohibited practices once a year. Moreover, by 2 August 2028 and every four years thereafter, the Commission should evaluate and report to the European Parliament and to the Council on the need to amend the list of high-risk areas headings in the annex to this Regulation, the AI systems within the scope of the transparency obligations, the effectiveness of the supervision and governance system and the progress on the development of standardisation deliverables on energy efficient development of general-purpose AI models, including the need for further measures or actions. Finally, by 2 August 2028 and every three years thereafter, the Commission should evaluate the impact and effectiveness of voluntary codes of conduct to foster the application of the requirements provided for high-risk AI systems in the case of AI systems other than high-risk AI systems and possibly other additional requirements for such AI systems. (175) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (56).
Show original text
To ensure consistent application of this Regulation, the European Commission will be given specific powers to implement it, following the guidelines of Regulation (EU) No 182/2011. The main goal of this Regulation is to enhance the internal market and encourage the use of human-centered and trustworthy AI, while also protecting health, safety, and fundamental rights as outlined in the Charter. This includes upholding democracy, the rule of law, and environmental protection against the negative impacts of AI systems in the EU. Since individual Member States cannot achieve these objectives effectively on their own, it is better for the EU to take action at a Union level, in line with the principle of subsidiarity stated in Article 5 TEU.
uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (56). (176) Since the objective of this Regulation, namely to improve the functioning of the internal market and to promote the uptake of human centric and trustworthy AI, while ensuring a high level of protection of health, safety, fundamental rights enshrined in the Charter, including democracy, the rule of law and environmental protection against harmful effects of AI systems in the Union and supporting innovation, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 43/144 (54) Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (OJ L 305, 26.11.2019, p. 17). (55) OJ L 123, 12.5.2016, p. 1. (56) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). measures in accordance with the principle of subsidiarity as set out in Article 5 TEU.
Show original text
The Commission's implementation powers are outlined in the Official Journal (OJ L 55, 28.2.2011, p. 13). This regulation follows the principle of subsidiarity from Article 5 of the Treaty on European Union (TEU) and adheres to the principle of proportionality, meaning it does not exceed what is necessary to achieve its goals. To provide legal certainty and allow operators time to adapt without disrupting the market, this regulation will apply to high-risk AI systems that were already on the market before the regulation's general application date, but only if those systems undergo significant changes in design or purpose after that date. 'Significant change' is defined similarly to 'substantial modification' for high-risk AI systems under this regulation. Additionally, operators of AI systems that are part of large-scale IT systems specified in an annex to this regulation, as well as those using high-risk AI systems for public authorities, must comply with the regulation by the end of 2030 and by August 2, 2030, respectively. Providers of high-risk AI systems are encouraged to voluntarily start complying with the regulation during the transitional period. This regulation will take effect on August 2, 2026.
States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13). measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective. (177) In order to ensure legal certainty, ensure an appropriate adaptation period for operators and avoid disruption to the market, including by ensuring continuity of the use of AI systems, it is appropriate that this Regulation applies to the high-risk AI systems that have been placed on the market or put into service before the general date of application thereof, only if, from that date, those systems are subject to significant changes in their design or intended purpose. It is appropriate to clarify that, in this respect, the concept of significant change should be understood as equivalent in substance to the notion of substantial modification, which is used with regard only to high-risk AI systems pursuant to this Regulation. On an exceptional basis and in light of public accountability, operators of AI systems which are components of the large-scale IT systems established by the legal acts listed in an annex to this Regulation and operators of high-risk AI systems that are intended to be used by public authorities should, respectively, take the necessary steps to comply with the requirements of this Regulation by end of 2030 and by 2 August 2030. (178) Providers of high-risk AI systems are encouraged to start to comply, on a voluntary basis, with the relevant obligations of this Regulation already during the transitional period. (179) This Regulation should apply from 2 August 2026.
Show original text
Providers of high-risk AI systems are encouraged to voluntarily start following the rules of this Regulation during the transitional period. This Regulation will officially take effect on August 2, 2026. However, due to the high risks associated with certain uses of AI, some prohibitions and general rules will take effect earlier, on February 2, 2025. While the full enforcement of these prohibitions will depend on the establishment of governance and enforcement mechanisms, it is important to implement them early to address unacceptable risks and influence other legal processes. Additionally, the governance infrastructure and conformity assessment system should be operational by August 2, 2026, which means the rules regarding notified bodies and governance will start on August 2, 2025. Given the rapid development of general-purpose AI models, obligations for their providers will also begin on August 2, 2025. Codes of practice must be ready by May 2, 2025, to help providers demonstrate compliance on time. The AI Office will ensure that classification rules and procedures are updated according to technological advancements. Furthermore, Member States need to establish and inform the Commission about penalty rules, including administrative fines, and ensure their effective implementation by the Regulation's application date. Thus, the penalty provisions will take effect on August 2, 2025.
) Providers of high-risk AI systems are encouraged to start to comply, on a voluntary basis, with the relevant obligations of this Regulation already during the transitional period. (179) This Regulation should apply from 2 August 2026. However, taking into account the unacceptable risk associated with the use of AI in certain ways, the prohibitions as well as the general provisions of this Regulation should already apply from 2 February 2025. While the full effect of those prohibitions follows with the establishment of the governance and enforcement of this Regulation, anticipating the application of the prohibitions is important to take account of unacceptable risks and to have an effect on other procedures, such as in civil law. Moreover, the infrastructure related to the governance and the conformity assessment system should be operational before 2 August 2026, therefore the provisions on notified bodies and governance structure should apply from 2 August 2025. Given the rapid pace of technological advancements and adoption of general-purpose AI models, obligations for providers of general-purpose AI models should apply from 2 August 2025. Codes of practice should be ready by 2 May 2025 in view of enabling providers to demonstrate compliance on time. The AI Office should ensure that classification rules and procedures are up to date in light of technological developments. In addition, Member States should lay down and notify to the Commission the rules on penalties, including administrative fines, and ensure that they are properly and effectively implemented by the date of application of this Regulation. Therefore the provisions on penalties should apply from 2 August 2025.
Show original text
The Commission must establish and notify the rules regarding penalties, including administrative fines, and ensure their effective implementation by the time this Regulation takes effect. Therefore, the penalty provisions will be in effect starting from August 2, 2025. The European Data Protection Supervisor and the European Data Protection Board were consulted as required by Article 42(1) and (2) of Regulation (EU) 2018/1725, and they provided their joint opinion on June 18, 2021. This Regulation aims to enhance the internal market and encourage the use of trustworthy, human-centered artificial intelligence (AI), while ensuring strong protection for health, safety, fundamental rights, democracy, the rule of law, and environmental safety against the negative impacts of AI systems in the EU, while also fostering innovation. The Regulation includes: (a) standardized rules for marketing, deploying, and using AI systems in the EU; (b) bans on certain AI practices; (c) specific requirements and obligations for high-risk AI systems; (d) standardized transparency rules for certain AI systems; (e) standardized rules for marketing general-purpose AI models; (f) rules for market monitoring, surveillance, governance, and enforcement; (g) measures to support innovation, especially for small and medium-sized enterprises (SMEs) and start-ups.
down and notify to the Commission the rules on penalties, including administrative fines, and ensure that they are properly and effectively implemented by the date of application of this Regulation. Therefore the provisions on penalties should apply from 2 August 2025. (180) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(1) and (2) of Regulation (EU) 2018/1725 and delivered their joint opinion on 18 June 2021, HAVE ADOPTED THIS REGULATION: CHAPTER I GENERAL PROVISIONS Article 1 Subject matter` 1. The purpose of this Regulation is to improve the functioning of the internal market and promote the uptake of human-centric and trustworthy artificial intelligence (AI), while ensuring a high level of protection of health, safety, fundamental rights enshrined in the Charter, including democracy, the rule of law and environmental protection, against the harmful effects of AI systems in the Union and supporting innovation. 2. This Regulation lays down: (a) harmonised rules for the placing on the market, the putting into service, and the use of AI systems in the Union; EN OJ L, 12.7.2024 44/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (b) prohibitions of certain AI practices; (c) specific requirements for high-risk AI systems and obligations for operators of such systems; (d) harmonised transparency rules for certain AI systems; (e) harmonised rules for the placing on the market of general-purpose AI models; (f) rules on market monitoring, market surveillance, governance and enforcement; (g) measures to support innovation, with a particular focus on SMEs, including start-ups. Article 2 Scope 1.
Show original text
This regulation covers the following aspects of general-purpose AI models: (f) rules for monitoring the market, overseeing compliance, and enforcing regulations; (g) measures to encourage innovation, especially for small and medium-sized enterprises (SMEs) and start-ups. Article 2 Scope 1. This regulation applies to: (a) providers who sell or use AI systems or general-purpose AI models in the European Union, regardless of whether they are based in the EU or outside it; (b) users of AI systems based in the EU; (c) providers and users of AI systems based outside the EU if the AI's output is used in the EU; (d) importers and distributors of AI systems; (e) manufacturers who sell or use an AI system with their product under their brand; (f) authorized representatives of providers not based in the EU; (g) individuals affected by AI systems located in the EU. 2. For AI systems classified as high-risk according to Article 6(1) related to products under EU harmonization laws listed in Section B of Annex I, only Article 6(1), Articles 102 to 109, and Article 112 apply. Article 57 applies only if the high-risk AI system requirements are included in that EU harmonization legislation. 3. This regulation does not cover areas outside EU law and does not affect the powers of Member States regarding national security, regardless of which entity they assign to handle those responsibilities.
on the market of general-purpose AI models; (f) rules on market monitoring, market surveillance, governance and enforcement; (g) measures to support innovation, with a particular focus on SMEs, including start-ups. Article 2 Scope 1. This Regulation applies to: (a) providers placing on the market or putting into service AI systems or placing on the market general-purpose AI models in the Union, irrespective of whether those providers are established or located within the Union or in a third country; (b) deployers of AI systems that have their place of establishment or are located within the Union; (c) providers and deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the Union; (d) importers and distributors of AI systems; (e) product manufacturers placing on the market or putting into service an AI system together with their product and under their own name or trademark; (f) authorised representatives of providers, which are not established in the Union; (g) affected persons that are located in the Union. 2. For AI systems classified as high-risk AI systems in accordance with Article 6(1) related to products covered by the Union harmonisation legislation listed in Section B of Annex I, only Article 6(1), Articles 102 to 109 and Article 112 apply. Article 57 applies only in so far as the requirements for high-risk AI systems under this Regulation have been integrated in that Union harmonisation legislation. 3. This Regulation does not apply to areas outside the scope of Union law, and shall not, in any event, affect the competences of the Member States concerning national security, regardless of the type of entity entrusted by the Member States with carrying out tasks in relation to those competences.
Show original text
Union law does not affect the powers of Member States regarding national security, regardless of who they assign to handle those responsibilities. This Regulation does not cover AI systems that are marketed, used, or modified solely for military, defense, or national security purposes, no matter who is involved. It also does not apply to AI systems that are not sold or used in the Union if their results are only for military, defense, or national security purposes. Additionally, this Regulation does not apply to public authorities in other countries or international organizations that use AI for law enforcement or judicial cooperation with the Union, as long as they ensure adequate protection of individual rights. Furthermore, this Regulation does not change the liability rules for providers of intermediary services as outlined in Regulation (EU) 2022/2065. Lastly, it does not apply to AI systems or models created specifically for scientific research and development.
the scope of Union law, and shall not, in any event, affect the competences of the Member States concerning national security, regardless of the type of entity entrusted by the Member States with carrying out tasks in relation to those competences. This Regulation does not apply to AI systems where and in so far they are placed on the market, put into service, or used with or without modification exclusively for military, defence or national security purposes, regardless of the type of entity carrying out those activities. This Regulation does not apply to AI systems which are not placed on the market or put into service in the Union, where the output is used in the Union exclusively for military, defence or national security purposes, regardless of the type of entity carrying out those activities. 4. This Regulation applies neither to public authorities in a third country nor to international organisations falling within the scope of this Regulation pursuant to paragraph 1, where those authorities or organisations use AI systems in the framework of international cooperation or agreements for law enforcement and judicial cooperation with the Union or with one or more Member States, provided that such a third country or international organisation provides adequate safeguards with respect to the protection of fundamental rights and freedoms of individuals. 5. This Regulation shall not affect the application of the provisions on the liability of providers of intermediary services as set out in Chapter II of Regulation (EU) 2022/2065. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 45/144 6. This Regulation does not apply to AI systems or AI models, including their output, specifically developed and put into service for the sole purpose of scientific research and development. 7.
Show original text
This Regulation does not cover AI systems or models created solely for scientific research and development. It also does not affect existing laws on personal data protection, such as Regulation (EU) 2016/679, Regulation (EU) 2018/1725, Directive 2002/58/EC, or Regulation (EU) 2016/680, except for specific articles in this Regulation. Additionally, the Regulation does not apply to research, testing, or development of AI systems before they are marketed or used, although real-world testing is not excluded. It does not interfere with other EU laws related to consumer protection and product safety. Furthermore, it does not impose obligations on individuals using AI systems for personal, non-professional purposes. The Regulation allows the EU or Member States to create laws that better protect workers' rights regarding AI use by employers, and it does not apply to AI systems released under free and open-source licenses unless they are classified as high-risk or fall under specific articles.
/2024/1689/oj 45/144 6. This Regulation does not apply to AI systems or AI models, including their output, specifically developed and put into service for the sole purpose of scientific research and development. 7. Union law on the protection of personal data, privacy and the confidentiality of communications applies to personal data processed in connection with the rights and obligations laid down in this Regulation. This Regulation shall not affect Regulation (EU) 2016/679 or (EU) 2018/1725, or Directive 2002/58/EC or (EU) 2016/680, without prejudice to Article 10(5) and Article 59 of this Regulation. 8. This Regulation does not apply to any research, testing or development activity regarding AI systems or AI models prior to their being placed on the market or put into service. Such activities shall be conducted in accordance with applicable Union law. Testing in real world conditions shall not be covered by that exclusion. 9. This Regulation is without prejudice to the rules laid down by other Union legal acts related to consumer protection and product safety. 10. This Regulation does not apply to obligations of deployers who are natural persons using AI systems in the course of a purely personal non-professional activity. 11. This Regulation does not preclude the Union or Member States from maintaining or introducing laws, regulations or administrative provisions which are more favourable to workers in terms of protecting their rights in respect of the use of AI systems by employers, or from encouraging or allowing the application of collective agreements which are more favourable to workers. 12. This Regulation does not apply to AI systems released under free and open-source licences, unless they are placed on the market or put into service as high-risk AI systems or as an AI system that falls under Article 5 or 50.
Show original text
This Regulation does not apply to AI systems that are released under free and open-source licenses, unless they are marketed or used as high-risk AI systems or fall under Article 5 or 50. Article 3 Definitions: 1. An 'AI system' is a machine-based system designed to operate with different levels of autonomy. It can adapt after being deployed and generates outputs like predictions, content, recommendations, or decisions based on the input it receives, which can affect physical or virtual environments. 2. 'Risk' refers to the likelihood of harm occurring and the seriousness of that harm. 3. A 'provider' is any individual or organization that develops an AI system or general-purpose AI model, or has one developed, and markets or uses it under their name or trademark, whether for payment or free. 4. A 'deployer' is any individual or organization using an AI system under their authority, except for personal non-professional use. 5. An 'authorized representative' is an individual or organization based in the Union that has received a written mandate from a provider to fulfill the obligations and procedures set by this Regulation on their behalf. 6. An 'importer' is an individual or organization based in the Union that markets an AI system under the name or trademark of a person or organization from a third country.
12. This Regulation does not apply to AI systems released under free and open-source licences, unless they are placed on the market or put into service as high-risk AI systems or as an AI system that falls under Article 5 or 50. Article 3 Definitions For the purposes of this Regulation, the following definitions apply: (1) ‘AI system’ means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments; (2) ‘risk’ means the combination of the probability of an occurrence of harm and the severity of that harm; (3) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge; (4) ‘deployer’ means a natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity; (5) ‘authorised representative’ means a natural or legal person located or established in the Union who has received and accepted a written mandate from a provider of an AI system or a general-purpose AI model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation; (6) ‘importer’ means a natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country; (7)
Show original text
(6) An 'importer' is a person or company based in the Union that sells an AI system under the name or trademark of a person or company from a non-EU country. (7) A 'distributor' is a person or company in the supply chain, other than the provider or importer, that makes an AI system available for sale in the Union market. (8) An 'operator' includes the provider, manufacturer, deployer, authorized representative, importer, or distributor of an AI system. (9) 'Placing on the market' refers to the first time an AI system or general-purpose AI model is made available in the Union market. (10) 'Making available on the market' means supplying an AI system or general-purpose AI model for distribution or use in the Union market, whether for payment or free. (11) 'Putting into service' means supplying an AI system for its first use, either directly to the deployer or for personal use in the Union. (12) 'Intended purpose' is the use that the provider specifies for the AI system, including the context and conditions of use, as detailed in the provider's instructions, promotional materials, and technical documentation. (13) 'Reasonably foreseeable misuse' refers to using an AI system in a way that is not intended but could happen due to predictable human behavior or interaction with other systems, including other AI systems. (14) A 'safety component' is a part of a product or AI system that contributes to its safety.
; (6) ‘importer’ means a natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country; (7) ‘distributor’ means a natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market; (8) ‘operator’ means a provider, product manufacturer, deployer, authorised representative, importer or distributor; EN OJ L, 12.7.2024 46/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (9) ‘placing on the market’ means the first making available of an AI system or a general-purpose AI model on the Union market; (10) ‘making available on the market’ means the supply of an AI system or a general-purpose AI model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; (11) ‘putting into service’ means the supply of an AI system for first use directly to the deployer or for own use in the Union for its intended purpose; (12) ‘intended purpose’ means the use for which an AI system is intended by the provider, including the specific context and conditions of use, as specified in the information supplied by the provider in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation; (13) ‘reasonably foreseeable misuse’ means the use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systems; (14) ‘safety component’ means a component of a product or of an AI system which fulf
Show original text
The following terms are defined for clarity: (14) A 'safety component' is part of a product or AI system that ensures safety; if it fails, it can harm people or property. (15) 'Instructions for use' are guidelines provided by the supplier to explain how to properly use an AI system and its intended purpose. (16) A 'recall of an AI system' refers to actions taken to return or disable an AI system that has been provided to users. (17) 'Withdrawal of an AI system' means preventing an AI system from being sold in the market. (18) The 'performance of an AI system' is its ability to fulfill its intended purpose. (19) A 'notifying authority' is the national body responsible for assessing and monitoring conformity assessment organizations. (20) 'Conformity assessment' is the process of verifying if a high-risk AI system meets the required standards. (21) A 'conformity assessment body' is an organization that conducts independent assessments, including testing and certification. (22) A 'notified body' is a conformity assessment body recognized under this regulation and relevant EU laws. (23) A 'substantial modification' is any unplanned change to an AI system after it has been marketed, which was not included in the initial assessment by the provider.
accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems, including other AI systems; (14) ‘safety component’ means a component of a product or of an AI system which fulfils a safety function for that product or AI system, or the failure or malfunctioning of which endangers the health and safety of persons or property; (15) ‘instructions for use’ means the information provided by the provider to inform the deployer of, in particular, an AI system’s intended purpose and proper use; (16) ‘recall of an AI system’ means any measure aiming to achieve the return to the provider or taking out of service or disabling the use of an AI system made available to deployers; (17) ‘withdrawal of an AI system’ means any measure aiming to prevent an AI system in the supply chain being made available on the market; (18) ‘performance of an AI system’ means the ability of an AI system to achieve its intended purpose; (19) ‘notifying authority’ means the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring; (20) ‘conformity assessment’ means the process of demonstrating whether the requirements set out in Chapter III, Section 2 relating to a high-risk AI system have been fulfilled; (21) ‘conformity assessment body’ means a body that performs third-party conformity assessment activities, including testing, certification and inspection; (22) ‘notified body’ means a conformity assessment body notified in accordance with this Regulation and other relevant Union harmonisation legislation; (23) ‘substantial modification’ means a change to an AI system after its placing on the market or putting into service which is not foreseen or planned in the initial conformity assessment carried out by the provider and as a result of which the
Show original text
23) A 'substantial modification' refers to any change made to an AI system after it has been released to the market or put into use, which was not anticipated in the initial assessment by the provider. This change can affect the system's compliance with the requirements in Chapter III, Section 2, or alter its intended purpose. 24) 'CE marking' is a label that a provider uses to show that an AI system meets the requirements outlined in Chapter III, Section 2, as well as other relevant EU regulations. 25) A 'post-market monitoring system' includes all actions taken by AI system providers to gather and analyze feedback from the use of their systems in the market. This is done to identify any immediate need for corrective or preventive measures. 26) A 'market surveillance authority' is the national body responsible for enforcing the activities and measures outlined in Regulation (EU) 2019/1020. 27) A 'harmonised standard' is defined in Article 2(1), point (c), of Regulation (EU) No 1025/2012. 28) A 'common specification' is a set of technical guidelines defined in Article 2, point (4) of Regulation (EU) No 1025/2012, which helps ensure compliance with specific requirements established by this Regulation. 29) 'Training data' refers to the data used to train an AI system by adjusting its learnable parameters. 30) 'Validation data' is the data used to evaluate the performance of an AI system.
23) ‘substantial modification’ means a change to an AI system after its placing on the market or putting into service which is not foreseen or planned in the initial conformity assessment carried out by the provider and as a result of which the compliance of the AI system with the requirements set out in Chapter III, Section 2 is affected or results in a modification to the intended purpose for which the AI system has been assessed; (24) ‘CE marking’ means a marking by which a provider indicates that an AI system is in conformity with the requirements set out in Chapter III, Section 2 and other applicable Union harmonisation legislation providing for its affixing; (25) ‘post-market monitoring system’ means all activities carried out by providers of AI systems to collect and review experience gained from the use of AI systems they place on the market or put into service for the purpose of identifying any need to immediately apply any necessary corrective or preventive actions; (26) ‘market surveillance authority’ means the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020; OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 47/144 (27) ‘harmonised standard’ means a harmonised standard as defined in Article 2(1), point (c), of Regulation (EU) No 1025/2012; (28) ‘common specification’ means a set of technical specifications as defined in Article 2, point (4) of Regulation (EU) No 1025/2012, providing means to comply with certain requirements established under this Regulation; (29) ‘training data’ means data used for training an AI system through fitting its learnable parameters; (30) ‘validation data’ means data used for providing an evaluation
Show original text
This text defines several terms related to AI systems: - **Training data**: Data used to train an AI system by adjusting its learnable parameters. - **Validation data**: Data used to evaluate the trained AI system and adjust its non-learnable parameters to avoid underfitting or overfitting. - **Validation data set**: A separate set of data or a portion of the training data, which can be fixed or variable. - **Testing data**: Data used to independently evaluate the AI system's performance before it is released or put into use. - **Input data**: Data given to the AI system that it uses to generate an output. - **Biometric data**: Personal data derived from specific technical processing related to a person's physical, physiological, or behavioral traits, such as facial images or fingerprints. - **Biometric identification**: The automated recognition of human features to establish a person's identity by comparing their biometric data to data stored in a database. - **Biometric verification**: The automated process of confirming a person's identity by comparing their biometric data to previously provided data. - **Special categories of personal data**: Categories defined in specific EU regulations that include sensitive information. - **Sensitive operational**: (The text cuts off here, but it likely refers to operational data that is sensitive in nature.)
2, providing means to comply with certain requirements established under this Regulation; (29) ‘training data’ means data used for training an AI system through fitting its learnable parameters; (30) ‘validation data’ means data used for providing an evaluation of the trained AI system and for tuning its non-learnable parameters and its learning process in order, inter alia, to prevent underfitting or overfitting; (31) ‘validation data set’ means a separate data set or part of the training data set, either as a fixed or variable split; (32) ‘testing data’ means data used for providing an independent evaluation of the AI system in order to confirm the expected performance of that system before its placing on the market or putting into service; (33) ‘input data’ means data provided to or directly acquired by an AI system on the basis of which the system produces an output; (34) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, such as facial images or dactyloscopic data; (35) ‘biometric identification’ means the automated recognition of physical, physiological, behavioural, or psychological human features for the purpose of establishing the identity of a natural person by comparing biometric data of that individual to biometric data of individuals stored in a database; (36) ‘biometric verification’ means the automated, one-to-one verification, including authentication, of the identity of natural persons by comparing their biometric data to previously provided biometric data; (37) ‘special categories of personal data’ means the categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725; (38) ‘sensitive operational
Show original text
According to Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680, and Article 10(1) of Regulation (EU) 2018/1725: 1. 'Sensitive operational data' refers to information related to preventing, detecting, investigating, or prosecuting crimes, which, if disclosed, could harm the integrity of criminal proceedings. 2. An 'emotion recognition system' is an AI tool designed to identify or infer people's emotions or intentions based on their biometric data. 3. A 'biometric categorisation system' is an AI tool that assigns individuals to specific categories based on their biometric data, unless it is part of another commercial service and necessary for technical reasons. 4. A 'remote biometric identification system' is an AI tool that identifies individuals without their active participation, usually from a distance, by comparing their biometric data to a reference database. 5. A 'real-time remote biometric identification system' is a type of remote system where the capturing, comparing, and identifying of biometric data happens almost instantly, with only minimal delays to prevent evasion. 6. A 'post-remote biometric identification system' is any remote identification system that is not real-time. 7. A 'publicly accessible space' is any physical location, whether public or private, that can be accessed by an unspecified number of people, regardless of any access conditions or capacity limits.
of Regulation (EU) 2016/679, Article 10 of Directive (EU) 2016/680 and Article 10(1) of Regulation (EU) 2018/1725; (38) ‘sensitive operational data’ means operational data related to activities of prevention, detection, investigation or prosecution of criminal offences, the disclosure of which could jeopardise the integrity of criminal proceedings; (39) ‘emotion recognition system’ means an AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data; (40) ‘biometric categorisation system’ means an AI system for the purpose of assigning natural persons to specific categories on the basis of their biometric data, unless it is ancillary to another commercial service and strictly necessary for objective technical reasons; (41) ‘remote biometric identification system’ means an AI system for the purpose of identifying natural persons, without their active involvement, typically at a distance through the comparison of a person’s biometric data with the biometric data contained in a reference database; (42) ‘real-time remote biometric identification system’ means a remote biometric identification system, whereby the capturing of biometric data, the comparison and the identification all occur without a significant delay, comprising not only instant identification, but also limited short delays in order to avoid circumvention; (43) ‘post-remote biometric identification system’ means a remote biometric identification system other than a real-time remote biometric identification system; (44) ‘publicly accessible space’ means any publicly or privately owned physical place accessible to an undetermined number of natural persons, regardless of whether certain conditions for access may apply, and regardless of the potential capacity restrictions; EN OJ L, 12.7.
Show original text
A 'place' refers to any physical location, whether publicly or privately owned, that can be accessed by an unspecified number of people, regardless of any access conditions or capacity limits. (45) A 'law enforcement authority' is defined as: (a) any public authority responsible for preventing, investigating, detecting, or prosecuting criminal offenses, as well as enforcing criminal penalties and ensuring public security; or (b) any other organization designated by national law to perform these public functions related to crime prevention and public safety. (46) 'Law enforcement' includes activities conducted by law enforcement authorities or on their behalf to prevent, investigate, detect, or prosecute criminal offenses and enforce penalties, while also ensuring public safety. (47) The 'AI Office' refers to the Commission's role in overseeing the implementation, monitoring, and governance of AI systems and general-purpose AI models, as established in the Commission Decision of January 24, 2024. References to the AI Office in this regulation should be understood as references to the Commission. (48) A 'national competent authority' is either a notifying authority or a market surveillance authority. For AI systems used by EU institutions, agencies, and bodies, references to national authorities in this regulation should be interpreted as referring to the European Data Protection Supervisor. (49) A 'serious incident' is defined as an event or malfunction of an AI system that results in direct or indirect consequences.
’ means any publicly or privately owned physical place accessible to an undetermined number of natural persons, regardless of whether certain conditions for access may apply, and regardless of the potential capacity restrictions; EN OJ L, 12.7.2024 48/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (45) ‘law enforcement authority’ means: (a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or (b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; (46) ‘law enforcement’ means activities carried out by law enforcement authorities or on their behalf for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security; (47) ‘AI Office’ means the Commission’s function of contributing to the implementation, monitoring and supervision of AI systems and general-purpose AI models, and AI governance, provided for in Commission Decision of 24 January 2024; references in this Regulation to the AI Office shall be construed as references to the Commission; (48) ‘national competent authority’ means a notifying authority or a market surveillance authority; as regards AI systems put into service or used by Union institutions, agencies, offices and bodies, references to national competent authorities or market surveillance authorities in this Regulation shall be construed as references to the European Data Protection Supervisor; (49) ‘serious incident’ means an incident or malfunctioning of an AI system that directly or indirectly leads to any of the
Show original text
In this regulation, references to authorities or market surveillance authorities mean the European Data Protection Supervisor. A 'serious incident' refers to a malfunction of an AI system that results in: (a) the death of a person or serious health harm; (b) major disruption to critical infrastructure; (c) violations of Union laws protecting fundamental rights; or (d) significant damage to property or the environment. 'Personal data' is defined in Article 4, point (1) of Regulation (EU) 2016/679, while 'non-personal data' refers to any data that is not personal data as defined in the same article. 'Profiling' is also defined in Article 4, point (4) of Regulation (EU) 2016/679. A 'real-world testing plan' is a document outlining the goals, methods, geographical area, population, timing, monitoring, organization, and execution of tests in real-world settings. A 'sandbox plan' is an agreement between a provider and a competent authority that details the objectives, conditions, timeline, methods, and requirements for activities within a sandbox. An 'AI regulatory sandbox' is a controlled environment established by a competent authority that allows AI system providers to develop, train, validate, and test innovative AI systems under regulatory supervision for a limited time, following a sandbox plan. 'AI literacy' refers to the skills, knowledge, and understanding that enable providers, users, and affected individuals to make informed decisions based on their rights and responsibilities under this regulation.
authorities or market surveillance authorities in this Regulation shall be construed as references to the European Data Protection Supervisor; (49) ‘serious incident’ means an incident or malfunctioning of an AI system that directly or indirectly leads to any of the following: (a) the death of a person, or serious harm to a person’s health; (b) a serious and irreversible disruption of the management or operation of critical infrastructure; (c) the infringement of obligations under Union law intended to protect fundamental rights; (d) serious harm to property or the environment; (50) ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; (51) ‘non-personal data’ means data other than personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679; (52) ‘profiling’ means profiling as defined in Article 4, point (4), of Regulation (EU) 2016/679; (53) ‘real-world testing plan’ means a document that describes the objectives, methodology, geographical, population and temporal scope, monitoring, organisation and conduct of testing in real-world conditions; (54) ‘sandbox plan’ means a document agreed between the participating provider and the competent authority describing the objectives, conditions, timeframe, methodology and requirements for the activities carried out within the sandbox; (55) ‘AI regulatory sandbox’ means a controlled framework set up by a competent authority which offers providers or prospective providers of AI systems the possibility to develop, train, validate and test, where appropriate in real-world conditions, an innovative AI system, pursuant to a sandbox plan for a limited time under regulatory supervision; (56) ‘AI literacy’ means skills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed
Show original text
The following terms are defined under regulatory supervision for a limited time: 1. **AI Literacy**: This refers to the skills, knowledge, and understanding that help providers, users, and affected individuals to effectively use AI systems. It includes awareness of the benefits and risks of AI, as well as potential harm. 2. **Testing in Real-World Conditions**: This is the temporary testing of an AI system in actual environments (not in labs) to collect reliable data and check if the AI meets regulatory standards. This testing does not count as officially launching the AI system, as long as it meets the conditions in Articles 57 or 60. 3. **Subject**: In the context of real-world testing, a subject is a person who takes part in the testing. 4. **Informed Consent**: This is when a subject voluntarily agrees to participate in testing after being fully informed about all relevant aspects of the testing. 5. **Deep Fake**: This refers to AI-created or altered images, audio, or videos that mimic real people, objects, or events, making them appear authentic or truthful when they are not. 6. **Widespread Infringement**: This means any action or failure to act that goes against EU laws protecting individual rights, which has harmed or could harm the collective interests of individuals living in the EU.
a limited time under regulatory supervision; (56) ‘AI literacy’ means skills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause; OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 49/144 (57) ‘testing in real-world conditions’ means the temporary testing of an AI system for its intended purpose in real-world conditions outside a laboratory or otherwise simulated environment, with a view to gathering reliable and robust data and to assessing and verifying the conformity of the AI system with the requirements of this Regulation and it does not qualify as placing the AI system on the market or putting it into service within the meaning of this Regulation, provided that all the conditions laid down in Article 57 or 60 are fulfilled; (58) ‘subject’, for the purpose of real-world testing, means a natural person who participates in testing in real-world conditions; (59) ‘informed consent’ means a subject’s freely given, specific, unambiguous and voluntary expression of his or her willingness to participate in a particular testing in real-world conditions, after having been informed of all aspects of the testing that are relevant to the subject’s decision to participate; (60) ‘deep fake’ means AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful; (61) ‘widespread infringement’ means any act or omission contrary to Union law protecting the interest of individuals, which: (a) has harmed or is likely to harm the collective interests of individuals residing in at
Show original text
To be authentic or truthful; (61) 'widespread infringement' refers to any action or failure to act that goes against Union law meant to protect individuals' interests. This includes: (a) actions that have harmed or could harm the collective interests of individuals living in at least two Member States, excluding the Member State where the action occurred or where the provider or deployer is based; (b) actions that have caused or could cause harm to collective interests and share common characteristics, such as the same illegal practice, occurring simultaneously by the same operator in at least three Member States; (62) 'critical infrastructure' is defined in Article 2, point (4), of Directive (EU) 2022/2557; (63) 'general-purpose AI model' is an AI model that is trained on a large dataset using self-supervision and can perform a wide range of tasks, regardless of how it is marketed, excluding models used for research or development before being sold; (64) 'high-impact capabilities' are those that match or exceed the abilities of the most advanced general-purpose AI models; (65) 'systemic risk' refers to risks specific to the high-impact capabilities of general-purpose AI models that could significantly affect the Union market or have negative consequences for public health, safety, security, or fundamental rights.
to be authentic or truthful; (61) ‘widespread infringement’ means any act or omission contrary to Union law protecting the interest of individuals, which: (a) has harmed or is likely to harm the collective interests of individuals residing in at least two Member States other than the Member State in which: (i) the act or omission originated or took place; (ii) the provider concerned, or, where applicable, its authorised representative is located or established; or (iii) the deployer is established, when the infringement is committed by the deployer; (b) has caused, causes or is likely to cause harm to the collective interests of individuals and has common features, including the same unlawful practice or the same interest being infringed, and is occurring concurrently, committed by the same operator, in at least three Member States; (62) ‘critical infrastructure’ means critical infrastructure as defined in Article 2, point (4), of Directive (EU) 2022/2557; (63) ‘general-purpose AI model’ means an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market; (64) ‘high-impact capabilities’ means capabilities that match or exceed the capabilities recorded in the most advanced general-purpose AI models; (65) ‘systemic risk’ means a risk that is specific to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the
Show original text
General-purpose AI models can significantly affect the market and may have negative impacts on public health, safety, security, fundamental rights, or society as a whole, especially when these effects can spread widely across the value chain. A 'general-purpose AI system' is defined as an AI system that uses a general-purpose AI model and can be used for various purposes, either directly or by being integrated into other AI systems. A 'floating-point operation' refers to any mathematical operation involving floating-point numbers, which are a type of real number represented in computers using a fixed precision integer scaled by a fixed base integer exponent. A 'downstream provider' is any provider of an AI system, including general-purpose AI systems, that integrates an AI model, regardless of whether they created the model themselves or obtained it through contracts with another entity. Article 4 discusses AI literacy, stating that providers and users of AI systems must ensure their staff and others involved in operating and using these systems have adequate AI knowledge. This should consider their technical skills, experience, education, and the specific context in which the AI systems will be used, as well as the individuals or groups affected by these systems. Chapter II outlines prohibited AI practices in Article 5.
to the high-impact capabilities of general-purpose AI models, having a significant impact on the Union market due to their reach, or due to actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or the society as a whole, that can be propagated at scale across the value chain; (66) ‘general-purpose AI system’ means an AI system which is based on a general-purpose AI model and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems; (67) ‘floating-point operation’ means any mathematical operation or assignment involving floating-point numbers, which are a subset of the real numbers typically represented on computers by an integer of fixed precision scaled by an integer exponent of a fixed base; (68) ‘downstream provider’ means a provider of an AI system, including a general-purpose AI system, which integrates an AI model, regardless of whether the AI model is provided by themselves and vertically integrated or provided by another entity based on contractual relations. EN OJ L, 12.7.2024 50/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 4 AI literacy Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used. CHAPTER II PROHIBITED AI PRACTICES Article 5 Prohibited AI practices 1.
Show original text
AI systems must be used with consideration for the individuals or groups they affect. **CHAPTER II: PROHIBITED AI PRACTICES** **Article 5: Prohibited AI Practices** 1. The following AI practices are not allowed: (a) Selling, using, or implementing an AI system that uses subliminal techniques or manipulative methods to significantly distort a person's or group's behavior, impairing their ability to make informed decisions and potentially causing them significant harm. (b) Selling, using, or implementing an AI system that takes advantage of the vulnerabilities of individuals or specific groups due to their age, disability, or particular social or economic situations, leading to harmful behavior changes. (c) Selling, using, or implementing AI systems that evaluate or classify individuals or groups over time based on their social behavior or personal characteristics, resulting in: (i) Unfair treatment of individuals or groups in unrelated social contexts; (ii) Unjustified negative treatment of individuals or groups.
AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used. CHAPTER II PROHIBITED AI PRACTICES Article 5 Prohibited AI practices 1. The following AI practices shall be prohibited: (a) the placing on the market, the putting into service or the use of an AI system that deploys subliminal techniques beyond a person’s consciousness or purposefully manipulative or deceptive techniques, with the objective, or the effect of materially distorting the behaviour of a person or a group of persons by appreciably impairing their ability to make an informed decision, thereby causing them to take a decision that they would not have otherwise taken in a manner that causes or is reasonably likely to cause that person, another person or group of persons significant harm; (b) the placing on the market, the putting into service or the use of an AI system that exploits any of the vulnerabilities of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation, with the objective, or the effect, of materially distorting the behaviour of that person or a person belonging to that group in a manner that causes or is reasonably likely to cause that person or another person significant harm; (c) the placing on the market, the putting into service or the use of AI systems for the evaluation or classification of natural persons or groups of persons over a certain period of time based on their social behaviour or known, inferred or predicted personal or personality characteristics, with the social score leading to either or both of the following: (i) detrimental or unfavourable treatment of certain natural persons or groups of persons in social contexts that are unrelated to the contexts in which the data was originally generated or collected; (ii) detrimental or unfavourable treatment of certain natural persons or groups of persons that is unjustified or dispro
Show original text
This text outlines several prohibitions related to the use of AI systems: (i) Using data about individuals or groups in social situations that are not connected to where the data was originally collected; (ii) Treating certain individuals or groups unfairly without justification, especially if the treatment is excessive compared to their behavior; (d) Selling or using AI systems to assess the risk of someone committing a crime based only on their profile or personality traits, unless the AI supports human judgment based on clear evidence of criminal activity; (e) Selling or using AI systems that gather facial images from the internet or CCTV without targeting specific individuals to create or enhance facial recognition databases; (f) Selling or using AI systems to determine people's emotions in workplaces or educational settings, unless it's for medical or safety purposes; (g) Selling or using biometric categorization systems that classify individuals based on their biometric data to infer sensitive information like race, political beliefs, union membership, religious beliefs, sexual orientation, or personal relationships.
persons or groups of persons in social contexts that are unrelated to the contexts in which the data was originally generated or collected; (ii) detrimental or unfavourable treatment of certain natural persons or groups of persons that is unjustified or disproportionate to their social behaviour or its gravity; (d) the placing on the market, the putting into service for this specific purpose, or the use of an AI system for making risk assessments of natural persons in order to assess or predict the risk of a natural person committing a criminal offence, based solely on the profiling of a natural person or on assessing their personality traits and characteristics; this prohibition shall not apply to AI systems used to support the human assessment of the involvement of a person in a criminal activity, which is already based on objective and verifiable facts directly linked to a criminal activity; (e) the placing on the market, the putting into service for this specific purpose, or the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage; (f) the placing on the market, the putting into service for this specific purpose, or the use of AI systems to infer emotions of a natural person in the areas of workplace and education institutions, except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons; OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 51/144 (g) the placing on the market, the putting into service for this specific purpose, or the use of biometric categorisation systems that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation; this prohibition does not
Show original text
Biometric categorization systems analyze individuals' biometric data to determine their race, political views, union membership, religious beliefs, sexual orientation, or personal relationships. However, this prohibition does not apply to the lawful labeling or filtering of biometric datasets, like images, or to the categorization of biometric data for law enforcement purposes. Additionally, the use of real-time remote biometric identification systems in public spaces for law enforcement is restricted. Such use is only allowed when it is essential for: 1. Searching for specific victims of abduction, human trafficking, or sexual exploitation, as well as locating missing persons; 2. Preventing a serious and immediate threat to someone's life or safety, or a credible threat of a terrorist attack; 3. Identifying or locating a person suspected of a crime, to aid in criminal investigations or prosecutions for serious offenses that could lead to imprisonment for at least four years. This regulation does not affect Article 9 of Regulation (EU) 2016/679, which governs the processing of biometric data for non-law enforcement purposes.
ometric categorisation systems that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation; this prohibition does not cover any labelling or filtering of lawfully acquired biometric datasets, such as images, based on biometric data or categorizing of biometric data in the area of law enforcement; (h) the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, unless and in so far as such use is strictly necessary for one of the following objectives: (i) the targeted search for specific victims of abduction, trafficking in human beings or sexual exploitation of human beings, as well as the search for missing persons; (ii) the prevention of a specific, substantial and imminent threat to the life or physical safety of natural persons or a genuine and present or genuine and foreseeable threat of a terrorist attack; (iii) the localisation or identification of a person suspected of having committed a criminal offence, for the purpose of conducting a criminal investigation or prosecution or executing a criminal penalty for offences referred to in Annex II and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least four years. Point (h) of the first subparagraph is without prejudice to Article 9 of Regulation (EU) 2016/679 for the processing of biometric data for purposes other than law enforcement. 2.
Show original text
The maximum duration for using remote biometric identification systems for law enforcement purposes is at least four years. This use must comply with Article 9 of Regulation (EU) 2016/679, which governs the processing of biometric data for non-law enforcement purposes. When using 'real-time' remote biometric identification in public spaces for law enforcement, it should only be used to confirm the identity of a specific individual. The decision to use these systems must consider: (a) the seriousness, likelihood, and extent of harm that could occur if the system is not used; (b) the impact of using the system on the rights and freedoms of all individuals involved, particularly the seriousness, likelihood, and extent of those impacts. Additionally, the use of these systems must follow necessary and proportionate safeguards according to national law, including limits on time, location, and individuals involved. Law enforcement must conduct a fundamental rights impact assessment as outlined in Article 27 and register the system in the EU database as per Article 49. However, in urgent situations, these systems can be used without prior registration, as long as the registration is completed promptly.
maximum period of at least four years. Point (h) of the first subparagraph is without prejudice to Article 9 of Regulation (EU) 2016/679 for the processing of biometric data for purposes other than law enforcement. 2. The use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement for any of the objectives referred to in paragraph 1, first subparagraph, point (h), shall be deployed for the purposes set out in that point only to confirm the identity of the specifically targeted individual, and it shall take into account the following elements: (a) the nature of the situation giving rise to the possible use, in particular the seriousness, probability and scale of the harm that would be caused if the system were not used; (b) the consequences of the use of the system for the rights and freedoms of all persons concerned, in particular the seriousness, probability and scale of those consequences. In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement for any of the objectives referred to in paragraph 1, first subparagraph, point (h), of this Article shall comply with necessary and proportionate safeguards and conditions in relation to the use in accordance with the national law authorising the use thereof, in particular as regards the temporal, geographic and personal limitations. The use of the ‘real-time’ remote biometric identification system in publicly accessible spaces shall be authorised only if the law enforcement authority has completed a fundamental rights impact assessment as provided for in Article 27 and has registered the system in the EU database according to Article 49. However, in duly justified cases of urgency, the use of such systems may be commenced without the registration in the EU database, provided that such registration is completed without undue delay. 3.
Show original text
In the EU, systems for remote biometric identification must be registered in the EU database as per Article 49. However, in urgent situations, these systems can be used without prior registration, as long as the registration is completed quickly. For law enforcement purposes, using a 'real-time' remote biometric identification system in public spaces requires prior approval from a judicial or independent administrative authority in the relevant Member State. This approval must be based on a justified request and follow national laws. In urgent cases, the system can be used without prior approval, but the request for authorization must be made within 24 hours. If the authorization is denied, the use of the system must stop immediately, and all data and results must be deleted. The authority will only grant approval if it is convinced, based on clear evidence, that using the system is necessary and proportionate to achieve specific objectives, and that the use is limited in time, location, and personal scope.
system in the EU database according to Article 49. However, in duly justified cases of urgency, the use of such systems may be commenced without the registration in the EU database, provided that such registration is completed without undue delay. 3. For the purposes of paragraph 1, first subparagraph, point (h) and paragraph 2, each use for the purposes of law enforcement of a ‘real-time’ remote biometric identification system in publicly accessible spaces shall be subject to a prior authorisation granted by a judicial authority or an independent administrative authority whose decision is binding of the Member State in which the use is to take place, issued upon a reasoned request and in accordance with the detailed rules of national law referred to in paragraph 5. However, in a duly justified situation of urgency, the use of such system may be commenced without an authorisation provided that such authorisation is requested without undue delay, at the latest within 24 hours. If such authorisation is rejected, the use shall be stopped with immediate effect and all the data, as well as the results and outputs of that use shall be immediately discarded and deleted. The competent judicial authority or an independent administrative authority whose decision is binding shall grant the authorisation only where it is satisfied, on the basis of objective evidence or clear indications presented to it, that the use of the ‘real-time’ remote biometric identification system concerned is necessary for, and proportionate to, achieving one of the EN OJ L, 12.7.2024 52/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj objectives specified in paragraph 1, first subparagraph, point (h), as identified in the request and, in particular, remains limited to what is strictly necessary concerning the period of time as well as the geographic and personal scope.
Show original text
The objectives mentioned in paragraph 1, first subparagraph, point (h) must be strictly followed, focusing only on what is necessary regarding time, location, and individuals involved. When making a decision on the request, the authority must consider the factors listed in paragraph 2. No decision that negatively affects a person can be made solely based on the results from the 'real-time' remote biometric identification system. Additionally, every use of this system in public spaces for law enforcement must be reported to the relevant market surveillance authority and the national data protection authority, following national rules outlined in paragraph 5. This notification must include the information specified in paragraph 6 but should not contain sensitive operational details. A Member State can choose to allow the use of 'real-time' remote biometric identification systems in public spaces for law enforcement, as long as it adheres to the limits and conditions stated in paragraph 1, first subparagraph, point (h), and paragraphs 2 and 3. Each Member State must establish detailed national laws regarding the request, issuance, use, supervision, and reporting of these authorizations. These laws should also clarify which objectives from paragraph 1, first subparagraph, point (h), including specific criminal offenses mentioned in point (h)(iii), allow authorities to use these systems for law enforcement. Member States must inform the Commission of these rules within 30 days of their adoption.
/oj objectives specified in paragraph 1, first subparagraph, point (h), as identified in the request and, in particular, remains limited to what is strictly necessary concerning the period of time as well as the geographic and personal scope. In deciding on the request, that authority shall take into account the elements referred to in paragraph 2. No decision that produces an adverse legal effect on a person may be taken based solely on the output of the ‘real-time’ remote biometric identification system. 4. Without prejudice to paragraph 3, each use of a ‘real-time’ remote biometric identification system in publicly accessible spaces for law enforcement purposes shall be notified to the relevant market surveillance authority and the national data protection authority in accordance with the national rules referred to in paragraph 5. The notification shall, as a minimum, contain the information specified under paragraph 6 and shall not include sensitive operational data. 5. A Member State may decide to provide for the possibility to fully or partially authorise the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement within the limits and under the conditions listed in paragraph 1, first subparagraph, point (h), and paragraphs 2 and 3. Member States concerned shall lay down in their national law the necessary detailed rules for the request, issuance and exercise of, as well as supervision and reporting relating to, the authorisations referred to in paragraph 3. Those rules shall also specify in respect of which of the objectives listed in paragraph 1, first subparagraph, point (h), including which of the criminal offences referred to in point (h)(iii) thereof, the competent authorities may be authorised to use those systems for the purposes of law enforcement. Member States shall notify those rules to the Commission at the latest 30 days following the adoption thereof.
Show original text
Competent authorities can use remote biometric identification systems for law enforcement, as stated in point (h)(iii). Member States must inform the Commission of these rules within 30 days of their adoption. They can also create stricter laws regarding the use of these systems, following Union law. National market surveillance and data protection authorities in Member States that have been notified about the use of real-time remote biometric identification systems in public spaces for law enforcement must submit annual reports to the Commission. The Commission will provide a template for these reports, which should include the number of decisions made by judicial or independent authorities regarding authorization requests and their outcomes. The Commission will publish annual reports on the use of these systems in public spaces for law enforcement, based on the aggregated data from the Member States' reports. These reports will not contain sensitive operational details about law enforcement activities. This Article does not change any prohibitions related to AI practices that violate other Union laws.
to in point (h)(iii) thereof, the competent authorities may be authorised to use those systems for the purposes of law enforcement. Member States shall notify those rules to the Commission at the latest 30 days following the adoption thereof. Member States may introduce, in accordance with Union law, more restrictive laws on the use of remote biometric identification systems. 6. National market surveillance authorities and the national data protection authorities of Member States that have been notified of the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement purposes pursuant to paragraph 4 shall submit to the Commission annual reports on such use. For that purpose, the Commission shall provide Member States and national market surveillance and data protection authorities with a template, including information on the number of the decisions taken by competent judicial authorities or an independent administrative authority whose decision is binding upon requests for authorisations in accordance with paragraph 3 and their result. 7. The Commission shall publish annual reports on the use of real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes, based on aggregated data in Member States on the basis of the annual reports referred to in paragraph 6. Those annual reports shall not include sensitive operational data of the related law enforcement activities. 8. This Article shall not affect the prohibitions that apply where an AI practice infringes other Union law. CHAPTER III HIGH-RISK AI SYSTEMS SECTION 1 Classification of AI systems as high-risk Article 6 Classification rules for high-risk AI systems 1.
Show original text
This section outlines the rules for classifying high-risk AI systems. An AI system is considered high-risk if it meets two conditions: (1) it is used as a safety component of a product or is a product itself that falls under specific EU safety regulations listed in Annex I, and (2) the product, which includes the AI system, must pass a third-party safety assessment before it can be sold or used, according to the same EU regulations. Additionally, certain AI systems listed in Annex III are also classified as high-risk. However, an AI system from Annex III will not be considered high-risk if it does not significantly threaten the health, safety, or fundamental rights of individuals, including if it does not greatly affect decision-making outcomes.
prohibitions that apply where an AI practice infringes other Union law. CHAPTER III HIGH-RISK AI SYSTEMS SECTION 1 Classification of AI systems as high-risk Article 6 Classification rules for high-risk AI systems 1. Irrespective of whether an AI system is placed on the market or put into service independently of the products referred to in points (a) and (b), that AI system shall be considered to be high-risk where both of the following conditions are fulfilled: (a) the AI system is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the Union harmonisation legislation listed in Annex I; (b) the product whose safety component pursuant to point (a) is the AI system, or the AI system itself as a product, is required to undergo a third-party conformity assessment, with a view to the placing on the market or the putting into service of that product pursuant to the Union harmonisation legislation listed in Annex I. 2. In addition to the high-risk AI systems referred to in paragraph 1, AI systems referred to in Annex III shall be considered to be high-risk. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 53/144 3. By derogation from paragraph 2, an AI system referred to in Annex III shall not be considered to be high-risk where it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the outcome of decision making.
Show original text
An AI system mentioned in Annex III is not considered high-risk if it does not significantly threaten the health, safety, or fundamental rights of individuals, and does not greatly affect decision-making outcomes. This applies if any of the following conditions are met: (a) the AI system is designed for a specific, limited task; (b) it aims to enhance the results of a task already completed by a human; (c) it identifies patterns in decision-making without replacing or influencing the human assessment, which must be reviewed by a person; or (d) it prepares information for an assessment related to the use cases in Annex III. However, any AI system that profiles individuals is always deemed high-risk. Providers who believe their AI system is not high-risk must document their assessment before the system is marketed or used. They must also register as required by Article 49(2) and provide this documentation to national authorities if requested. The Commission will, after consulting the European Artificial Intelligence Board, issue guidelines by February 2, 2026, detailing how to implement this article and will include examples of high-risk and not high-risk AI systems.
system referred to in Annex III shall not be considered to be high-risk where it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the outcome of decision making. The first subparagraph shall apply where any of the following conditions is fulfilled: (a) the AI system is intended to perform a narrow procedural task; (b) the AI system is intended to improve the result of a previously completed human activity; (c) the AI system is intended to detect decision-making patterns or deviations from prior decision-making patterns and is not meant to replace or influence the previously completed human assessment, without proper human review; or (d) the AI system is intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III. Notwithstanding the first subparagraph, an AI system referred to in Annex III shall always be considered to be high-risk where the AI system performs profiling of natural persons. 4. A provider who considers that an AI system referred to in Annex III is not high-risk shall document its assessment before that system is placed on the market or put into service. Such provider shall be subject to the registration obligation set out in Article 49(2). Upon request of national competent authorities, the provider shall provide the documentation of the assessment. 5. The Commission shall, after consulting the European Artificial Intelligence Board (the ‘Board’), and no later than 2 February 2026, provide guidelines specifying the practical implementation of this Article in line with Article 96 together with a comprehensive list of practical examples of use cases of AI systems that are high-risk and not high-risk. 6.
Show original text
By February 2, 2026, the Commission must provide guidelines for implementing this Article, in accordance with Article 96. These guidelines should include a detailed list of practical examples of both high-risk and low-risk AI systems. The Commission has the authority to make changes to the conditions outlined in paragraph 3, second subparagraph, of this Article through delegated acts, as stated in Article 97. This can happen if there is solid evidence that certain AI systems listed in Annex III do not pose a significant risk to health, safety, or fundamental rights. Additionally, the Commission can remove any conditions in paragraph 3, second subparagraph, if there is reliable evidence showing that such changes are necessary to maintain the protection of health, safety, and fundamental rights as required by this Regulation. Any changes made to the conditions in paragraph 3 must not lower the overall protection of health, safety, and fundamental rights provided by this Regulation. These changes should also align with other delegated acts from Article 7(1) and consider market and technological advancements.
later than 2 February 2026, provide guidelines specifying the practical implementation of this Article in line with Article 96 together with a comprehensive list of practical examples of use cases of AI systems that are high-risk and not high-risk. 6. The Commission is empowered to adopt delegated acts in accordance with Article 97 in order to amend paragraph 3, second subparagraph, of this Article by adding new conditions to those laid down therein, or by modifying them, where there is concrete and reliable evidence of the existence of AI systems that fall under the scope of Annex III, but do not pose a significant risk of harm to the health, safety or fundamental rights of natural persons. 7. The Commission shall adopt delegated acts in accordance with Article 97 in order to amend paragraph 3, second subparagraph, of this Article by deleting any of the conditions laid down therein, where there is concrete and reliable evidence that this is necessary to maintain the level of protection of health, safety and fundamental rights provided for by this Regulation. 8. Any amendment to the conditions laid down in paragraph 3, second subparagraph, adopted in accordance with paragraphs 6 and 7 of this Article shall not decrease the overall level of protection of health, safety and fundamental rights provided for by this Regulation and shall ensure consistency with the delegated acts adopted pursuant to Article 7(1), and take account of market and technological developments. Article 7 Amendments to Annex III 1.
Show original text
This regulation ensures safety and fundamental rights while aligning with delegated acts from Article 7(1) and considering market and technological changes. Article 7: Changes to Annex III 1. The Commission can create delegated acts to update Annex III by adding or changing high-risk AI system use-cases if both of these conditions are met: (a) The AI systems are meant for use in areas listed in Annex III; (b) The AI systems pose a risk to health and safety or could negatively affect fundamental rights, and this risk is equal to or greater than that of existing high-risk AI systems in Annex III. 2. When evaluating condition (b), the Commission will consider: (a) The intended purpose of the AI system; (b) How widely the AI system has been or is expected to be used; (c) The type and amount of data the AI system processes, especially if it includes sensitive personal data; (d) How much the AI system operates independently and whether a human can override its decisions that might cause harm; (e) Any past harm caused by the AI system to health and safety or fundamental rights, or significant concerns about potential harm, as shown by reports to national authorities or other relevant documentation.
safety and fundamental rights provided for by this Regulation and shall ensure consistency with the delegated acts adopted pursuant to Article 7(1), and take account of market and technological developments. Article 7 Amendments to Annex III 1. The Commission is empowered to adopt delegated acts in accordance with Article 97 to amend Annex III by adding or modifying use-cases of high-risk AI systems where both of the following conditions are fulfilled: (a) the AI systems are intended to be used in any of the areas listed in Annex III; (b) the AI systems pose a risk of harm to health and safety, or an adverse impact on fundamental rights, and that risk is equivalent to, or greater than, the risk of harm or of adverse impact posed by the high-risk AI systems already referred to in Annex III. EN OJ L, 12.7.2024 54/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 2. When assessing the condition under paragraph 1, point (b), the Commission shall take into account the following criteria: (a) the intended purpose of the AI system; (b) the extent to which an AI system has been used or is likely to be used; (c) the nature and amount of the data processed and used by the AI system, in particular whether special categories of personal data are processed; (d) the extent to which the AI system acts autonomously and the possibility for a human to override a decision or recommendations that may lead to potential harm; (e) the extent to which the use of an AI system has already caused harm to health and safety, has had an adverse impact on fundamental rights or has given rise to significant concerns in relation to the likelihood of such harm or adverse impact, as demonstrated, for example, by reports or documented allegations submitted to national competent authorities or by other reports, as appropriate
Show original text
The impact on fundamental rights or concerns about potential harm can be shown through reports or allegations made to national authorities. Key factors to consider include: (f) the potential severity of harm and its ability to affect many people or disproportionately impact specific groups; (g) how dependent individuals are on the outcomes produced by an AI system, especially if they cannot reasonably opt-out; (h) any power imbalances where those at risk are vulnerable compared to the AI system's deployer, due to factors like status, authority, knowledge, economic or social conditions, or age; (i) how easily the outcomes from the AI system can be corrected or reversed, noting that negative impacts on health, safety, or fundamental rights are not easily fixable; (j) the potential benefits of the AI system for individuals, groups, or society, including improvements in product safety; (k) how existing Union law provides: (i) effective ways to address risks from AI systems, excluding damage claims; (ii) effective measures to prevent or significantly reduce those risks.
impact on fundamental rights or has given rise to significant concerns in relation to the likelihood of such harm or adverse impact, as demonstrated, for example, by reports or documented allegations submitted to national competent authorities or by other reports, as appropriate; (f) the potential extent of such harm or such adverse impact, in particular in terms of its intensity and its ability to affect multiple persons or to disproportionately affect a particular group of persons; (g) the extent to which persons who are potentially harmed or suffer an adverse impact are dependent on the outcome produced with an AI system, in particular because for practical or legal reasons it is not reasonably possible to opt-out from that outcome; (h) the extent to which there is an imbalance of power, or the persons who are potentially harmed or suffer an adverse impact are in a vulnerable position in relation to the deployer of an AI system, in particular due to status, authority, knowledge, economic or social circumstances, or age; (i) the extent to which the outcome produced involving an AI system is easily corrigible or reversible, taking into account the technical solutions available to correct or reverse it, whereby outcomes having an adverse impact on health, safety or fundamental rights, shall not be considered to be easily corrigible or reversible; (j) the magnitude and likelihood of benefit of the deployment of the AI system for individuals, groups, or society at large, including possible improvements in product safety; (k) the extent to which existing Union law provides for: (i) effective measures of redress in relation to the risks posed by an AI system, with the exclusion of claims for damages; (ii) effective measures to prevent or substantially minimise those risks. 3.
Show original text
Existing Union law includes provisions for: (i) effective ways to address risks from AI systems, excluding damage claims; (ii) effective measures to prevent or significantly reduce these risks. The Commission can update the list in Annex III by removing high-risk AI systems if two conditions are met: (a) the AI system no longer poses significant risks to fundamental rights, health, or safety, based on specific criteria; (b) removing it does not lower the overall protection of health, safety, and fundamental rights under Union law. SECTION 2 Requirements for High-Risk AI Systems Article 8 Compliance with Requirements 1. High-risk AI systems must meet the requirements outlined in this section, considering their intended use and the current state of AI technology. The risk management system mentioned in Article 9 must be considered for compliance. 2. If a product includes an AI system that falls under this Regulation and the Union harmonization legislation listed in Annex I, providers must ensure that their product complies with all relevant requirements.
to which existing Union law provides for: (i) effective measures of redress in relation to the risks posed by an AI system, with the exclusion of claims for damages; (ii) effective measures to prevent or substantially minimise those risks. 3. The Commission is empowered to adopt delegated acts in accordance with Article 97 to amend the list in Annex III by removing high-risk AI systems where both of the following conditions are fulfilled: (a) the high-risk AI system concerned no longer poses any significant risks to fundamental rights, health or safety, taking into account the criteria listed in paragraph 2; (b) the deletion does not decrease the overall level of protection of health, safety and fundamental rights under Union law. SECTION 2 Requirements for high-risk AI systems Article 8 Compliance with the requirements 1. High-risk AI systems shall comply with the requirements laid down in this Section, taking into account their intended purpose as well as the generally acknowledged state of the art on AI and AI-related technologies. The risk management system referred to in Article 9 shall be taken into account when ensuring compliance with those requirements. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 55/144 2. Where a product contains an AI system, to which the requirements of this Regulation as well as requirements of the Union harmonisation legislation listed in Section A of Annex I apply, providers shall be responsible for ensuring that their product is fully compliant with all applicable requirements under applicable Union harmonisation legislation.
Show original text
Providers must ensure that their products meet all requirements outlined in this Regulation and the Union harmonisation legislation listed in Section A of Annex I. For high-risk AI systems, providers can integrate necessary testing and reporting processes into existing documentation required by the Union harmonisation legislation to ensure compliance, consistency, and reduce duplication of efforts. Article 9 Risk Management System 1. A risk management system must be created, implemented, documented, and maintained for high-risk AI systems. 2. This system is a continuous process that runs throughout the entire lifecycle of the AI system, requiring regular reviews and updates. It includes the following steps: (a) Identifying and analyzing known and foreseeable risks to health, safety, or fundamental rights when the AI system is used as intended; (b) Estimating and evaluating risks that may arise from intended use and reasonable misuse; (c) Evaluating additional risks based on data from the post-market monitoring system mentioned in Article 72; (d) Implementing appropriate risk management measures to address the identified risks from step (a).
which the requirements of this Regulation as well as requirements of the Union harmonisation legislation listed in Section A of Annex I apply, providers shall be responsible for ensuring that their product is fully compliant with all applicable requirements under applicable Union harmonisation legislation. In ensuring the compliance of high-risk AI systems referred to in paragraph 1 with the requirements set out in this Section, and in order to ensure consistency, avoid duplication and minimise additional burdens, providers shall have a choice of integrating, as appropriate, the necessary testing and reporting processes, information and documentation they provide with regard to their product into documentation and procedures that already exist and are required under the Union harmonisation legislation listed in Section A of Annex I. Article 9 Risk management system 1. A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems. 2. The risk management system shall be understood as a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic review and updating. It shall comprise the following steps: (a) the identification and analysis of the known and the reasonably foreseeable risks that the high-risk AI system can pose to health, safety or fundamental rights when the high-risk AI system is used in accordance with its intended purpose; (b) the estimation and evaluation of the risks that may emerge when the high-risk AI system is used in accordance with its intended purpose, and under conditions of reasonably foreseeable misuse; (c) the evaluation of other risks possibly arising, based on the analysis of data gathered from the post-market monitoring system referred to in Article 72; (d) the adoption of appropriate and targeted risk management measures designed to address the risks identified pursuant to point (a). 3.
Show original text
This text discusses the management of risks associated with high-risk AI systems based on data from post-market monitoring. It emphasizes the need for targeted risk management measures to address identified risks. The risks mentioned can only be reduced or eliminated through the design and development of the AI system or by providing sufficient technical information. The risk management measures should consider how different requirements interact to minimize risks effectively while maintaining a balance in their implementation. These measures must ensure that the remaining risks from each hazard and the overall risk of the AI system are acceptable. To identify the best risk management strategies, the following should be ensured: (a) risks should be eliminated or reduced as much as possible through proper design and development; (b) if risks cannot be eliminated, appropriate mitigation and control measures should be implemented; (c) necessary information and training should be provided to users. Additionally, considerations should be made regarding the technical knowledge, experience, and training expected from the users, as well as the context in which the AI system will be used.
possibly arising, based on the analysis of data gathered from the post-market monitoring system referred to in Article 72; (d) the adoption of appropriate and targeted risk management measures designed to address the risks identified pursuant to point (a). 3. The risks referred to in this Article shall concern only those which may be reasonably mitigated or eliminated through the development or design of the high-risk AI system, or the provision of adequate technical information. 4. The risk management measures referred to in paragraph 2, point (d), shall give due consideration to the effects and possible interaction resulting from the combined application of the requirements set out in this Section, with a view to minimising risks more effectively while achieving an appropriate balance in implementing the measures to fulfil those requirements. 5. The risk management measures referred to in paragraph 2, point (d), shall be such that the relevant residual risk associated with each hazard, as well as the overall residual risk of the high-risk AI systems is judged to be acceptable. In identifying the most appropriate risk management measures, the following shall be ensured: (a) elimination or reduction of risks identified and evaluated pursuant to paragraph 2 in as far as technically feasible through adequate design and development of the high-risk AI system; (b) where appropriate, implementation of adequate mitigation and control measures addressing risks that cannot be eliminated; (c) provision of information required pursuant to Article 13 and, where appropriate, training to deployers. With a view to eliminating or reducing risks related to the use of the high-risk AI system, due consideration shall be given to the technical knowledge, experience, education, the training to be expected by the deployer, and the presumable context in which the system is intended to be used. EN OJ L, 12.7.2024 56/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 6.
Show original text
High-risk AI systems must be tested to find the best ways to manage risks. This testing ensures that these systems work reliably for their intended use and meet the requirements outlined in this section. Testing may include real-world conditions as specified in Article 60. Testing should occur at any stage of development, but must be completed before the systems are sold or used. It will be based on predefined metrics and thresholds suitable for the system's purpose. Providers must consider whether the high-risk AI system could negatively affect individuals under 18 and other vulnerable groups. For providers already subject to internal risk management requirements under other EU laws, the aspects mentioned may be integrated into their existing risk management processes. Additionally, high-risk AI systems that use data for training must be developed using training, validation, and testing data sets that meet specific quality standards.
which the system is intended to be used. EN OJ L, 12.7.2024 56/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 6. High-risk AI systems shall be tested for the purpose of identifying the most appropriate and targeted risk management measures. Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and that they are in compliance with the requirements set out in this Section. 7. Testing procedures may include testing in real-world conditions in accordance with Article 60. 8. The testing of high-risk AI systems shall be performed, as appropriate, at any time throughout the development process, and, in any event, prior to their being placed on the market or put into service. Testing shall be carried out against prior defined metrics and probabilistic thresholds that are appropriate to the intended purpose of the high-risk AI system. 9. When implementing the risk management system as provided for in paragraphs 1 to 7, providers shall give consideration to whether in view of its intended purpose the high-risk AI system is likely to have an adverse impact on persons under the age of 18 and, as appropriate, other vulnerable groups. 10. For providers of high-risk AI systems that are subject to requirements regarding internal risk management processes under other relevant provisions of Union law, the aspects provided in paragraphs 1 to 9 may be part of, or combined with, the risk management procedures established pursuant to that law. Article 10 Data and data governance 1. High-risk AI systems which make use of techniques involving the training of AI models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5 whenever such data sets are used. 2.
Show original text
AI models will be trained using data sets that meet specific quality standards for training, validation, and testing. These data sets must follow proper data governance and management practices tailored to the high-risk AI system's purpose. Key practices include: (a) making relevant design choices; (b) understanding how data is collected and its original purpose, especially for personal data; (c) preparing data through processes like labeling and cleaning; (d) stating assumptions about what the data measures; (e) assessing the availability and suitability of the data sets needed; (f) checking for biases that could harm health, violate rights, or lead to discrimination; (g) implementing measures to detect and reduce identified biases; and (h) identifying and addressing any data gaps that hinder compliance with regulations. The data sets must be relevant, representative, and as error-free and complete as possible for their intended use, possessing the right statistical properties for the target population.
of techniques involving the training of AI models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5 whenever such data sets are used. 2. Training, validation and testing data sets shall be subject to data governance and management practices appropriate for the intended purpose of the high-risk AI system. Those practices shall concern in particular: (a) the relevant design choices; (b) data collection processes and the origin of data, and in the case of personal data, the original purpose of the data collection; (c) relevant data-preparation processing operations, such as annotation, labelling, cleaning, updating, enrichment and aggregation; (d) the formulation of assumptions, in particular with respect to the information that the data are supposed to measure and represent; (e) an assessment of the availability, quantity and suitability of the data sets that are needed; (f) examination in view of possible biases that are likely to affect the health and safety of persons, have a negative impact on fundamental rights or lead to discrimination prohibited under Union law, especially where data outputs influence inputs for future operations; (g) appropriate measures to detect, prevent and mitigate possible biases identified according to point (f); (h) the identification of relevant data gaps or shortcomings that prevent compliance with this Regulation, and how those gaps and shortcomings can be addressed. 3. Training, validation and testing data sets shall be relevant, sufficiently representative, and to the best extent possible, free of errors and complete in view of the intended purpose. They shall have the appropriate statistical properties, including, where applicable, as regards the persons or groups of persons in relation to whom the high-risk AI system is intended to be used. Those characteristics of the data sets may be met at the level of individual data sets or at the level of a combination thereof. 4.
Show original text
High-risk AI systems are designed to be used with specific individuals or groups. The data sets used for these systems must reflect the unique geographical, contextual, behavioral, or functional aspects relevant to their intended use. Providers of high-risk AI systems may need to process special categories of personal data to detect and correct bias, but this is only allowed under strict conditions to protect individuals' rights. These conditions include: (a) Bias detection cannot be effectively achieved using other types of data, such as synthetic or anonymized data; (b) The special personal data must have restrictions on reuse and must be protected with advanced security measures, including pseudonymization; (c) There must be safeguards in place to secure the personal data, including strict access controls and documentation to prevent misuse, ensuring that only authorized individuals can access this data with confidentiality obligations.
persons or groups of persons in relation to whom the high-risk AI system is intended to be used. Those characteristics of the data sets may be met at the level of individual data sets or at the level of a combination thereof. 4. Data sets shall take into account, to the extent required by the intended purpose, the characteristics or elements that are particular to the specific geographical, contextual, behavioural or functional setting within which the high-risk AI system is intended to be used. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 57/144 5. To the extent that it is strictly necessary for the purpose of ensuring bias detection and correction in relation to the high-risk AI systems in accordance with paragraph (2), points (f) and (g) of this Article, the providers of such systems may exceptionally process special categories of personal data, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons. In addition to the provisions set out in Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680, all the following conditions must be met in order for such processing to occur: (a) the bias detection and correction cannot be effectively fulfilled by processing other data, including synthetic or anonymised data; (b) the special categories of personal data are subject to technical limitations on the re-use of the personal data, and state-of-the-art security and privacy-preserving measures, including pseudonymisation; (c) the special categories of personal data are subject to measures to ensure that the personal data processed are secured, protected, subject to suitable safeguards, including strict controls and documentation of the access, to avoid misuse and ensure that only authorised persons have access to those personal data with appropriate confidentiality obligations; (d) the
Show original text
To ensure the security of personal data, it must be protected with strict controls and documented access to prevent misuse. Only authorized individuals should have access to this data, and they must maintain confidentiality. Special categories of personal data should not be shared or accessed by unauthorized parties. Once any bias is corrected or the data's retention period ends, this special data must be deleted. Records of processing activities must explain why processing special categories of personal data was necessary to detect and correct biases, and why other data could not be used instead. For high-risk AI systems that do not involve training AI models, these rules apply only to the testing data sets. Technical documentation for high-risk AI systems must be created before the system is marketed or used and kept updated. This documentation should clearly show that the AI system meets the required standards and provide necessary information for authorities to assess compliance. It must include at least the elements listed in Annex IV. Small and microenterprises can submit a simplified version of this documentation, and the Commission will create a simplified form to meet their needs.
ensure that the personal data processed are secured, protected, subject to suitable safeguards, including strict controls and documentation of the access, to avoid misuse and ensure that only authorised persons have access to those personal data with appropriate confidentiality obligations; (d) the special categories of personal data are not to be transmitted, transferred or otherwise accessed by other parties; (e) the special categories of personal data are deleted once the bias has been corrected or the personal data has reached the end of its retention period, whichever comes first; (f) the records of processing activities pursuant to Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680 include the reasons why the processing of special categories of personal data was strictly necessary to detect and correct biases, and why that objective could not be achieved by processing other data. 6. For the development of high-risk AI systems not using techniques involving the training of AI models, paragraphs 2 to 5 apply only to the testing data sets. Article 11 Technical documentation 1. The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to date. The technical documentation shall be drawn up in such a way as to demonstrate that the high-risk AI system complies with the requirements set out in this Section and to provide national competent authorities and notified bodies with the necessary information in a clear and comprehensive form to assess the compliance of the AI system with those requirements. It shall contain, at a minimum, the elements set out in Annex IV. SMEs, including start-ups, may provide the elements of the technical documentation specified in Annex IV in a simplified manner. To that end, the Commission shall establish a simplified technical documentation form targeted at the needs of small and microenterprises.
Show original text
Small and medium-sized enterprises (SMEs), including start-ups, can provide the technical documentation required in Annex IV in a simpler format. The Commission will create a simplified technical documentation form specifically for small and microenterprises. If an SME or start-up chooses to use this simplified format, they must use the designated form, which notified bodies will accept for conformity assessment. For high-risk AI systems related to products covered by Union harmonisation legislation listed in Section A of Annex I, a complete set of technical documentation must be prepared. This documentation will include all information from paragraph 1 and any additional information required by the relevant legal acts. The Commission has the authority to make changes to Annex IV through delegated acts, as needed, to ensure that the technical documentation keeps up with technological advancements and includes all necessary information for compliance assessment. Article 12: Record-keeping 1. High-risk AI systems must be capable of automatically recording events (logs) throughout their operational lifetime.
SMEs, including start-ups, may provide the elements of the technical documentation specified in Annex IV in a simplified manner. To that end, the Commission shall establish a simplified technical documentation form targeted at the needs of small and microenterprises. Where an SME, including a start-up, opts to provide the information required in Annex IV in a simplified manner, it shall use the form referred to in this paragraph. Notified bodies shall accept the form for the purposes of the conformity assessment. 2. Where a high-risk AI system related to a product covered by the Union harmonisation legislation listed in Section A of Annex I is placed on the market or put into service, a single set of technical documentation shall be drawn up containing all the information set out in paragraph 1, as well as the information required under those legal acts. 3. The Commission is empowered to adopt delegated acts in accordance with Article 97 in order to amend Annex IV, where necessary, to ensure that, in light of technical progress, the technical documentation provides all the information necessary to assess the compliance of the system with the requirements set out in this Section. EN OJ L, 12.7.2024 58/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 12 Record-keeping 1. High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system. 2.
Show original text
Article 12: Record-keeping 1. High-risk AI systems must have the ability to automatically record events (logs) throughout their entire lifespan. 2. To ensure traceability of how a high-risk AI system operates, the logging features must allow for recording events that are important for: (a) identifying situations where the AI system may pose a risk as defined in Article 79(1) or undergo significant changes; (b) supporting post-market monitoring as mentioned in Article 72; and (c) overseeing the operation of high-risk AI systems as described in Article 26(5). 3. For high-risk AI systems listed in point 1 (a) of Annex III, the logging features must at least include: (a) the start and end date and time for each use of the system; (b) the reference database used to check the input data; (c) the input data that matched the search; (d) the identification of the individuals involved in verifying the results, as stated in Article 14(5). Article 13: Transparency and Information for Deployers 1. High-risk AI systems must be designed to ensure that their operation is clear enough for deployers to understand and use the system's output correctly. The level of transparency must meet the obligations of both the provider and deployer outlined in Section 3.
ropa.eu/eli/reg/2024/1689/oj Article 12 Record-keeping 1. High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system. 2. In order to ensure a level of traceability of the functioning of a high-risk AI system that is appropriate to the intended purpose of the system, logging capabilities shall enable the recording of events relevant for: (a) identifying situations that may result in the high-risk AI system presenting a risk within the meaning of Article 79(1) or in a substantial modification; (b) facilitating the post-market monitoring referred to in Article 72; and (c) monitoring the operation of high-risk AI systems referred to in Article 26(5). 3. For high-risk AI systems referred to in point 1 (a), of Annex III, the logging capabilities shall provide, at a minimum: (a) recording of the period of each use of the system (start date and time and end date and time of each use); (b) the reference database against which input data has been checked by the system; (c) the input data for which the search has led to a match; (d) the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5). Article 13 Transparency and provision of information to deployers 1. High-risk AI systems shall be designed and developed in such a way as to ensure that their operation is sufficiently transparent to enable deployers to interpret a system’s output and use it appropriately. An appropriate type and degree of transparency shall be ensured with a view to achieving compliance with the relevant obligations of the provider and deployer set out in Section 3. 2.
Show original text
Users need to understand how to interpret and use the output of a system correctly. To ensure compliance with the relevant obligations outlined in Section 3, there must be a suitable level of transparency. 1. High-risk AI systems must come with user instructions in a digital format or another accessible form. These instructions should provide clear, complete, and accurate information that is easy for users to understand. 2. The user instructions must include at least the following details: (a) The identity and contact information of the provider and, if applicable, their authorized representative. (b) The features, capabilities, and performance limitations of the high-risk AI system, including: (i) Its intended purpose. (ii) The expected accuracy level, including metrics, robustness, and cybersecurity measures as mentioned in Article 15, along with any known factors that could affect this accuracy. (iii) Any known or foreseeable situations related to the use of the high-risk AI system that could pose risks to health, safety, or fundamental rights as stated in Article 9(2). (iv) If relevant, the technical features of the high-risk AI system that help explain its output.
ers to interpret a system’s output and use it appropriately. An appropriate type and degree of transparency shall be ensured with a view to achieving compliance with the relevant obligations of the provider and deployer set out in Section 3. 2. High-risk AI systems shall be accompanied by instructions for use in an appropriate digital format or otherwise that include concise, complete, correct and clear information that is relevant, accessible and comprehensible to deployers. 3. The instructions for use shall contain at least the following information: (a) the identity and the contact details of the provider and, where applicable, of its authorised representative; (b) the characteristics, capabilities and limitations of performance of the high-risk AI system, including: (i) its intended purpose; (ii) the level of accuracy, including its metrics, robustness and cybersecurity referred to in Article 15 against which the high-risk AI system has been tested and validated and which can be expected, and any known and foreseeable circumstances that may have an impact on that expected level of accuracy, robustness and cybersecurity; (iii) any known or foreseeable circumstance, related to the use of the high-risk AI system in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, which may lead to risks to the health and safety or fundamental rights referred to in Article 9(2); (iv) where applicable, the technical capabilities and characteristics of the high-risk AI system to provide information that is relevant to explain its output; OJ L, 12.7.
Show original text
The following points outline important information regarding high-risk AI systems: 1. Safety and fundamental rights mentioned in Article 9(2) must be considered. 2. If applicable, the technical features of the AI system should provide relevant information to explain its outputs. 3. The system's performance should be evaluated for specific individuals or groups it is intended to serve. 4. Specifications for input data and other relevant details about the training, validation, and testing datasets should be provided, considering the system's intended purpose. 5. Information should be available to help users interpret the AI system's outputs correctly. 6. Any changes to the AI system and its performance that were identified by the provider during the initial assessment should be documented. 7. Human oversight measures, as mentioned in Article 14, should include technical tools to help users understand the AI outputs. 8. Details about the computational and hardware resources required, the expected lifespan of the AI system, and necessary maintenance measures (including frequency) should be included to ensure proper functioning, including software updates. 9. If relevant, a description of the mechanisms for collecting, storing, and interpreting logs in accordance with Article 12 should be provided. Article 14 emphasizes that high-risk AI systems must be designed to allow effective human oversight during their use, including appropriate human-machine interface tools.
afety or fundamental rights referred to in Article 9(2); (iv) where applicable, the technical capabilities and characteristics of the high-risk AI system to provide information that is relevant to explain its output; OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 59/144 (v) when appropriate, its performance regarding specific persons or groups of persons on which the system is intended to be used; (vi) when appropriate, specifications for the input data, or any other relevant information in terms of the training, validation and testing data sets used, taking into account the intended purpose of the high-risk AI system; (vii) where applicable, information to enable deployers to interpret the output of the high-risk AI system and use it appropriately; (c) the changes to the high-risk AI system and its performance which have been pre-determined by the provider at the moment of the initial conformity assessment, if any; (d) the human oversight measures referred to in Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of the high-risk AI systems by the deployers; (e) the computational and hardware resources needed, the expected lifetime of the high-risk AI system and any necessary maintenance and care measures, including their frequency, to ensure the proper functioning of that AI system, including as regards software updates; (f) where relevant, a description of the mechanisms included within the high-risk AI system that allows deployers to properly collect, store and interpret the logs in accordance with Article 12. Article 14 Human oversight 1. High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which they are in use. 2.
Show original text
Human Oversight of High-Risk AI Systems 1. High-risk AI systems must be designed to allow effective human oversight while they are in use, using suitable human-machine interface tools. 2. The goal of human oversight is to reduce risks to health, safety, or fundamental rights that may arise when using high-risk AI systems, whether used as intended or misused, especially when other safety measures are not enough. 3. Oversight measures should match the risks, autonomy level, and usage context of the high-risk AI system. These measures can be implemented in one or both of the following ways: (a) Built into the AI system by the provider before it is sold or used, if technically possible; (b) Identified by the provider before market release and suitable for the user to implement. 4. To ensure effective oversight, the high-risk AI system must be provided to users in a way that allows them to: (a) Understand its capabilities and limitations, and monitor its operation to identify and address any issues; (b) Be aware of the risk of over-relying on the AI's output (automation bias), especially when the AI provides information or recommendations for human decisions; (c) Accurately interpret the AI's output, considering available interpretation tools and methods.
Human oversight 1. High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which they are in use. 2. Human oversight shall aim to prevent or minimise the risks to health, safety or fundamental rights that may emerge when a high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, in particular where such risks persist despite the application of other requirements set out in this Section. 3. The oversight measures shall be commensurate with the risks, level of autonomy and context of use of the high-risk AI system, and shall be ensured through either one or both of the following types of measures: (a) measures identified and built, when technically feasible, into the high-risk AI system by the provider before it is placed on the market or put into service; (b) measures identified by the provider before placing the high-risk AI system on the market or putting it into service and that are appropriate to be implemented by the deployer. 4. For the purpose of implementing paragraphs 1, 2 and 3, the high-risk AI system shall be provided to the deployer in such a way that natural persons to whom human oversight is assigned are enabled, as appropriate and proportionate: (a) to properly understand the relevant capacities and limitations of the high-risk AI system and be able to duly monitor its operation, including in view of detecting and addressing anomalies, dysfunctions and unexpected performance; (b) to remain aware of the possible tendency of automatically relying or over-relying on the output produced by a high-risk AI system (automation bias), in particular for high-risk AI systems used to provide information or recommendations for decisions to be taken by natural persons; (c) to correctly interpret the high-risk AI system’s output, taking into account, for example, the interpretation tools and methods
Show original text
High-risk AI systems that provide information or recommendations for decisions made by people must: 1. Correctly interpret the system's output, using available interpretation tools and methods. 2. Allow users to choose not to use the system's output in specific situations, or to override or reverse the system's recommendations. 3. Enable users to intervene in the system's operation or stop it safely using a 'stop' button or similar method. For high-risk AI systems mentioned in Annex III, no actions or decisions should be made based on the system's identification results unless these results have been verified and confirmed by at least two qualified individuals. However, this verification requirement does not apply to high-risk AI systems used in law enforcement, migration, border control, or asylum cases, where it may be deemed excessive by Union or national law. Additionally, high-risk AI systems must be designed to ensure accuracy, robustness, and cybersecurity, maintaining consistent performance throughout their lifecycle.
in particular for high-risk AI systems used to provide information or recommendations for decisions to be taken by natural persons; (c) to correctly interpret the high-risk AI system’s output, taking into account, for example, the interpretation tools and methods available; EN OJ L, 12.7.2024 60/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (d) to decide, in any particular situation, not to use the high-risk AI system or to otherwise disregard, override or reverse the output of the high-risk AI system; (e) to intervene in the operation of the high-risk AI system or interrupt the system through a ‘stop’ button or a similar procedure that allows the system to come to a halt in a safe state. 5. For high-risk AI systems referred to in point 1(a) of Annex III, the measures referred to in paragraph 3 of this Article shall be such as to ensure that, in addition, no action or decision is taken by the deployer on the basis of the identification resulting from the system unless that identification has been separately verified and confirmed by at least two natural persons with the necessary competence, training and authority. The requirement for a separate verification by at least two natural persons shall not apply to high-risk AI systems used for the purposes of law enforcement, migration, border control or asylum, where Union or national law considers the application of this requirement to be disproportionate. Article 15 Accuracy, robustness and cybersecurity 1. High-risk AI systems shall be designed and developed in such a way that they achieve an appropriate level of accuracy, robustness, and cybersecurity, and that they perform consistently in those respects throughout their lifecycle. 2.
Show original text
1. High-risk AI systems must be designed to achieve a suitable level of accuracy, robustness, and cybersecurity, and they should maintain these qualities throughout their entire lifecycle. 2. To help measure the necessary levels of accuracy and robustness mentioned in point 1, the Commission will work with relevant stakeholders and organizations, like metrology and benchmarking authorities, to promote the development of benchmarks and measurement methods. 3. The accuracy levels and metrics for high-risk AI systems must be included in the user instructions. 4. High-risk AI systems should be as resilient as possible to errors, faults, or inconsistencies that may arise from their interactions with people or other systems. This requires both technical and organizational measures. Robustness can be enhanced through technical redundancy solutions, such as backup plans. For high-risk AI systems that continue to learn after being released, developers must minimize the risk of biased outputs affecting future operations (feedback loops) and ensure that any such feedback loops are properly managed with mitigation measures. 5. High-risk AI systems must be protected against unauthorized attempts to change their use, outputs, or performance by exploiting vulnerabilities. The technical solutions for ensuring the cybersecurity of these systems should be suitable for the specific circumstances and risks involved.
ness and cybersecurity 1. High-risk AI systems shall be designed and developed in such a way that they achieve an appropriate level of accuracy, robustness, and cybersecurity, and that they perform consistently in those respects throughout their lifecycle. 2. To address the technical aspects of how to measure the appropriate levels of accuracy and robustness set out in paragraph 1 and any other relevant performance metrics, the Commission shall, in cooperation with relevant stakeholders and organisations such as metrology and benchmarking authorities, encourage, as appropriate, the development of benchmarks and measurement methodologies. 3. The levels of accuracy and the relevant accuracy metrics of high-risk AI systems shall be declared in the accompanying instructions of use. 4. High-risk AI systems shall be as resilient as possible regarding errors, faults or inconsistencies that may occur within the system or the environment in which the system operates, in particular due to their interaction with natural persons or other systems. Technical and organisational measures shall be taken in this regard. The robustness of high-risk AI systems may be achieved through technical redundancy solutions, which may include backup or fail-safe plans. High-risk AI systems that continue to learn after being placed on the market or put into service shall be developed in such a way as to eliminate or reduce as far as possible the risk of possibly biased outputs influencing input for future operations (feedback loops), and as to ensure that any such feedback loops are duly addressed with appropriate mitigation measures. 5. High-risk AI systems shall be resilient against attempts by unauthorised third parties to alter their use, outputs or performance by exploiting system vulnerabilities. The technical solutions aiming to ensure the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks.
Show original text
High-risk AI systems must be protected from unauthorized attempts to change their use, outputs, or performance by taking advantage of system weaknesses. The technical solutions for ensuring the cybersecurity of these systems should be suitable for the specific risks involved. These solutions should address vulnerabilities unique to AI, including measures to prevent, detect, respond to, resolve, and control attacks that could manipulate training data (data poisoning), pre-trained components (model poisoning), inputs that lead to mistakes (adversarial examples), confidentiality breaches, or flaws in the model. **Obligations of Providers of High-Risk AI Systems** Providers of high-risk AI systems must: (a) Ensure their systems meet the requirements outlined in Section 2; (b) Clearly display their name, trade name, or trademark, along with their contact address on the system, its packaging, or accompanying documents; (c) Implement a quality management system as per Article 17; (d) Maintain the documentation specified in Article 18; (e) Keep logs generated by their AI systems as mentioned in Article 19; (f) Ensure the system passes the necessary conformity assessment before being sold or used, as stated in Article 43; (g) Create an EU declaration of conformity according to Article 47; (h) Affix the CE mark.
resilient against attempts by unauthorised third parties to alter their use, outputs or performance by exploiting system vulnerabilities. The technical solutions aiming to ensure the cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and the risks. The technical solutions to address AI specific vulnerabilities shall include, where appropriate, measures to prevent, detect, respond to, resolve and control for attacks trying to manipulate the training data set (data poisoning), or pre-trained components used in training (model poisoning), inputs designed to cause the AI model to make a mistake (adversarial examples or model evasion), confidentiality attacks or model flaws. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 61/144 SECTION 3 Obligations of providers and deployers of high-risk AI systems and other parties Article 16 Obligations of providers of high-risk AI systems Providers of high-risk AI systems shall: (a) ensure that their high-risk AI systems are compliant with the requirements set out in Section 2; (b) indicate on the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, as applicable, their name, registered trade name or registered trade mark, the address at which they can be contacted; (c) have a quality management system in place which complies with Article 17; (d) keep the documentation referred to in Article 18; (e) when under their control, keep the logs automatically generated by their high-risk AI systems as referred to in Article 19; (f) ensure that the high-risk AI system undergoes the relevant conformity assessment procedure as referred to in Article 43, prior to its being placed on the market or put into service; (g) draw up an EU declaration of conformity in accordance with Article 47; (h) affix the CE
Show original text
Before a high-risk AI system can be sold or used, providers must follow specific steps: (f) complete the necessary conformity assessment procedure as outlined in Article 43; (g) create an EU declaration of conformity as per Article 47; (h) place the CE marking on the AI system, or on its packaging or accompanying documents, to show it meets this Regulation, according to Article 48; (i) fulfill the registration requirements mentioned in Article 49(1); (j) take corrective actions and provide information as needed in Article 20; (k) if requested by a national authority, prove that the AI system meets the requirements in Section 2; (l) ensure the AI system meets accessibility standards as per Directives (EU) 2016/2102 and (EU) 2019/882. Article 17 states that providers of high-risk AI systems must establish a quality management system to ensure compliance with this Regulation. This system must be documented clearly and include: (a) a strategy for regulatory compliance, including conformity assessment procedures and management of system modifications; (b) methods for design control and verification; (c) processes for development, quality control, and assurance; (d) testing and validation procedures to be conducted before, during, and after development, along with their frequency.
es the relevant conformity assessment procedure as referred to in Article 43, prior to its being placed on the market or put into service; (g) draw up an EU declaration of conformity in accordance with Article 47; (h) affix the CE marking to the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, to indicate conformity with this Regulation, in accordance with Article 48; (i) comply with the registration obligations referred to in Article 49(1); (j) take the necessary corrective actions and provide information as required in Article 20; (k) upon a reasoned request of a national competent authority, demonstrate the conformity of the high-risk AI system with the requirements set out in Section 2; (l) ensure that the high-risk AI system complies with accessibility requirements in accordance with Directives (EU) 2016/2102 and (EU) 2019/882. Article 17 Quality management system 1. Providers of high-risk AI systems shall put a quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects: (a) a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system; (b) techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system; (c) techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system; (d) examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out; EN OJ L, 12.7.
Show original text
(d) Procedures for examining, testing, and validating high-risk AI systems must be conducted before, during, and after development, along with the frequency of these procedures; (e) Technical specifications and standards that must be followed. If the relevant standards are not fully applied or do not cover all necessary requirements, alternative methods must be used to ensure compliance; (f) Systems and procedures for managing data, including how data is acquired, collected, analyzed, labeled, stored, filtered, mined, aggregated, retained, and any other operations related to data before the high-risk AI systems are marketed or put into service; (g) The risk management system as mentioned in Article 9; (h) Establishing, implementing, and maintaining a post-market monitoring system as per Article 72; (i) Procedures for reporting serious incidents according to Article 73; (j) Managing communication with national authorities, relevant agencies, notified bodies, other operators, customers, and interested parties; (k) Systems and procedures for keeping records of all relevant documents and information; (l) Resource management, including measures related to supply security; (m) An accountability framework that defines the responsibilities of management and staff regarding all aspects mentioned. The implementation of these aspects should be appropriate to the size of the provider's organization.
(d) examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out; EN OJ L, 12.7.2024 62/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (e) technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full or do not cover all of the relevant requirements set out in Section 2, the means to be used to ensure that the high-risk AI system complies with those requirements; (f) systems and procedures for data management, including data acquisition, data collection, data analysis, data labelling, data storage, data filtration, data mining, data aggregation, data retention and any other operation regarding the data that is performed before and for the purpose of the placing on the market or the putting into service of high-risk AI systems; (g) the risk management system referred to in Article 9; (h) the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 72; (i) procedures related to the reporting of a serious incident in accordance with Article 73; (j) the handling of communication with national competent authorities, other relevant authorities, including those providing or supporting the access to data, notified bodies, other operators, customers or other interested parties; (k) systems and procedures for record-keeping of all relevant documentation and information; (l) resource management, including security-of-supply related measures; (m) an accountability framework setting out the responsibilities of the management and other staff with regard to all the aspects listed in this paragraph. 2. The implementation of the aspects referred to in paragraph 1 shall be proportionate to the size of the provider’s organisation.
Show original text
This section outlines the responsibilities of management and staff regarding the points mentioned. 1. The implementation of these points should match the size of the organization. Providers must ensure that their high-risk AI systems comply with the required standards and protections outlined in this Regulation. 2. Providers of high-risk AI systems that already have quality management system obligations under relevant EU laws can integrate the points mentioned into their existing systems. 3. For financial institutions that must follow internal governance rules under EU financial services law, the requirement to establish a quality management system (except for points (g), (h), and (i) of this Article) is satisfied by adhering to those governance rules. Any relevant harmonized standards mentioned in Article 40 should be considered. Article 18: Documentation Requirements 1. Providers must keep the following documentation available for 10 years after their high-risk AI system is marketed or put into service: (a) Technical documentation as per Article 11; (b) Quality management system documentation as per Article 17; (c) Documentation of changes approved by notified bodies, if applicable; (d) Decisions and documents issued by notified bodies, if applicable; (e) The EU declaration of conformity as per Article 47.
setting out the responsibilities of the management and other staff with regard to all the aspects listed in this paragraph. 2. The implementation of the aspects referred to in paragraph 1 shall be proportionate to the size of the provider’s organisation. Providers shall, in any event, respect the degree of rigour and the level of protection required to ensure the compliance of their high-risk AI systems with this Regulation. 3. Providers of high-risk AI systems that are subject to obligations regarding quality management systems or an equivalent function under relevant sectoral Union law may include the aspects listed in paragraph 1 as part of the quality management systems pursuant to that law. 4. For providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law, the obligation to put in place a quality management system, with the exception of paragraph 1, points (g), (h) and (i) of this Article, shall be deemed to be fulfilled by complying with the rules on internal governance arrangements or processes pursuant to the relevant Union financial services law. To that end, any harmonised standards referred to in Article 40 shall be taken into account. Article 18 Documentation keeping 1. The provider shall, for a period ending 10 years after the high-risk AI system has been placed on the market or put into service, keep at the disposal of the national competent authorities: (a) the technical documentation referred to in Article 11; (b) the documentation concerning the quality management system referred to in Article 17; (c) the documentation concerning the changes approved by notified bodies, where applicable; (d) the decisions and other documents issued by the notified bodies, where applicable; (e) the EU declaration of conformity referred to in Article 47. OJ L, 12.7.
Show original text
Regarding the changes approved by notified bodies, and any decisions or documents they issue, the EU declaration of conformity mentioned in Article 47 must also be included. Each Member State will set the rules for how long this documentation must be available to national authorities, especially if a provider or their authorized representative goes bankrupt or stops operating before the specified time. Financial institutions that must follow specific internal governance rules under EU financial services law must keep their technical documentation as required by that law. Article 19 states that providers of high-risk AI systems must keep automatically generated logs for at least six months, or longer if required by EU or national law, including laws on personal data protection. Financial institutions must also maintain these logs as part of their required documentation under financial services law. Article 20 discusses corrective actions and the obligation to provide information.
concerning the changes approved by notified bodies, where applicable; (d) the decisions and other documents issued by the notified bodies, where applicable; (e) the EU declaration of conformity referred to in Article 47. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 63/144 2. Each Member State shall determine conditions under which the documentation referred to in paragraph 1 remains at the disposal of the national competent authorities for the period indicated in that paragraph for the cases when a provider or its authorised representative established on its territory goes bankrupt or ceases its activity prior to the end of that period. 3. Providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law shall maintain the technical documentation as part of the documentation kept under the relevant Union financial services law. Article 19 Automatically generated logs 1. Providers of high-risk AI systems shall keep the logs referred to in Article 12(1), automatically generated by their high-risk AI systems, to the extent such logs are under their control. Without prejudice to applicable Union or national law, the logs shall be kept for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in the applicable Union or national law, in particular in Union law on the protection of personal data. 2. Providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation kept under the relevant financial services law. Article 20 Corrective actions and duty of information 1.
Show original text
Companies that provide high-risk AI systems must keep records of the logs automatically created by these systems, as required by Union financial services law. **Article 20: Corrective Actions and Duty to Inform** 1. If a provider believes that their high-risk AI system does not comply with regulations, they must quickly take corrective actions. This may include fixing the system, withdrawing it from the market, disabling it, or recalling it. They must also inform distributors, deployers, authorized representatives, and importers about the situation. 2. If the high-risk AI system poses a risk, the provider must investigate the issue immediately, working with the deployer if necessary. They must inform the relevant market surveillance authorities and, if applicable, the notified body that certified the system about the non-compliance and any corrective actions taken. **Article 21: Cooperation with Competent Authorities** 1. Providers of high-risk AI systems must provide any requested information and documentation to competent authorities to prove that their system meets the required standards. This information should be in a language that the authority can easily understand, using one of the official languages of the Union as specified by the relevant Member State.
arrangements or processes under Union financial services law shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation kept under the relevant financial services law. Article 20 Corrective actions and duty of information 1. Providers of high-risk AI systems which consider or have reason to consider that a high-risk AI system that they have placed on the market or put into service is not in conformity with this Regulation shall immediately take the necessary corrective actions to bring that system into conformity, to withdraw it, to disable it, or to recall it, as appropriate. They shall inform the distributors of the high-risk AI system concerned and, where applicable, the deployers, the authorised representative and importers accordingly. 2. Where the high-risk AI system presents a risk within the meaning of Article 79(1) and the provider becomes aware of that risk, it shall immediately investigate the causes, in collaboration with the reporting deployer, where applicable, and inform the market surveillance authorities competent for the high-risk AI system concerned and, where applicable, the notified body that issued a certificate for that high-risk AI system in accordance with Article 44, in particular, of the nature of the non-compliance and of any relevant corrective action taken. Article 21 Cooperation with competent authorities 1. Providers of high-risk AI systems shall, upon a reasoned request by a competent authority, provide that authority all the information and documentation necessary to demonstrate the conformity of the high-risk AI system with the requirements set out in Section 2, in a language which can be easily understood by the authority in one of the official languages of the institutions of the Union as indicated by the Member State concerned. 2.
Show original text
Providers of high-risk AI systems must present their systems in a clear and understandable way, using one of the official languages of the European Union as specified by the relevant Member State. If a competent authority makes a formal request, providers must grant access to the automatically generated logs of their high-risk AI systems, as long as those logs are under their control. Any information obtained by the competent authority must be kept confidential according to Article 78. Article 22 states that providers of high-risk AI systems based in non-EU countries must appoint an authorized representative located in the EU before they can sell their systems in the EU market. The provider must allow this representative to carry out the tasks outlined in their written mandate. The authorized representative must also provide a copy of this mandate to market surveillance authorities if requested, in one of the official EU languages.
the high-risk AI system with the requirements set out in Section 2, in a language which can be easily understood by the authority in one of the official languages of the institutions of the Union as indicated by the Member State concerned. 2. Upon a reasoned request by a competent authority, providers shall also give the requesting competent authority, as applicable, access to the automatically generated logs of the high-risk AI system referred to in Article 12(1), to the extent such logs are under their control. 3. Any information obtained by a competent authority pursuant to this Article shall be treated in accordance with the confidentiality obligations set out in Article 78. EN OJ L, 12.7.2024 64/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 22 Authorised representatives of providers of high-risk AI systems 1. Prior to making their high-risk AI systems available on the Union market, providers established in third countries shall, by written mandate, appoint an authorised representative which is established in the Union. 2. The provider shall enable its authorised representative to perform the tasks specified in the mandate received from the provider. 3. The authorised representative shall perform the tasks specified in the mandate received from the provider. It shall provide a copy of the mandate to the market surveillance authorities upon request, in one of the official languages of the institutions of the Union, as indicated by the competent authority.
Show original text
The authorized representative must carry out tasks outlined in the mandate from the provider. They must provide a copy of this mandate to market surveillance authorities if requested, in one of the official languages of the EU, as specified by the competent authority. The mandate allows the authorized representative to perform the following tasks: (a) Check that the EU declaration of conformity (mentioned in Article 47) and the technical documentation (mentioned in Article 11) have been completed, and that the provider has conducted the necessary conformity assessment; (b) Keep the contact details of the provider, a copy of the EU declaration of conformity, the technical documentation, and any relevant certificates available for competent and national authorities for 10 years after the high-risk AI system is on the market or in use; (c) Provide any requested information and documentation to a competent authority to prove that the high-risk AI system meets the requirements in Section 2, including access to logs generated by the system, as long as those logs are controlled by the provider; (d) Work with competent authorities on any actions they take regarding the high-risk AI system, especially to reduce and manage risks; (e) If applicable, fulfill the registration requirements mentioned in Article 49(1), or ensure that the provider registers the necessary information as outlined in point 3 of Section A of the Annex.
the tasks specified in the mandate received from the provider. It shall provide a copy of the mandate to the market surveillance authorities upon request, in one of the official languages of the institutions of the Union, as indicated by the competent authority. For the purposes of this Regulation, the mandate shall empower the authorised representative to carry out the following tasks: (a) verify that the EU declaration of conformity referred to in Article 47 and the technical documentation referred to in Article 11 have been drawn up and that an appropriate conformity assessment procedure has been carried out by the provider; (b) keep at the disposal of the competent authorities and national authorities or bodies referred to in Article 74(10), for a period of 10 years after the high-risk AI system has been placed on the market or put into service, the contact details of the provider that appointed the authorised representative, a copy of the EU declaration of conformity referred to in Article 47, the technical documentation and, if applicable, the certificate issued by the notified body; (c) provide a competent authority, upon a reasoned request, with all the information and documentation, including that referred to in point (b) of this subparagraph, necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Section 2, including access to the logs, as referred to in Article 12(1), automatically generated by the high-risk AI system, to the extent such logs are under the control of the provider; (d) cooperate with competent authorities, upon a reasoned request, in any action the latter take in relation to the high-risk AI system, in particular to reduce and mitigate the risks posed by the high-risk AI system; (e) where applicable, comply with the registration obligations referred to in Article 49(1), or, if the registration is carried out by the provider itself, ensure that the information referred to in point 3 of Section A of Annex
Show original text
Importers must ensure that high-risk AI systems comply with regulations before they are sold. This includes checking that: (a) the provider has completed the necessary conformity assessment as outlined in Article 43; (b) the provider has prepared the required technical documentation according to Article 11 and Annex IV; (c) the system has the correct CE marking and comes with the EU declaration of conformity and user instructions; and (d) the provider has appointed an authorized representative as stated in Article 22(1). Additionally, if the authorized representative believes the provider is not meeting its obligations, they must end their mandate and inform the relevant market surveillance authority and, if necessary, the notified body about the termination and the reasons for it.
system; (e) where applicable, comply with the registration obligations referred to in Article 49(1), or, if the registration is carried out by the provider itself, ensure that the information referred to in point 3 of Section A of Annex VIII is correct. The mandate shall empower the authorised representative to be addressed, in addition to or instead of the provider, by the competent authorities, on all issues related to ensuring compliance with this Regulation. 4. The authorised representative shall terminate the mandate if it considers or has reason to consider the provider to be acting contrary to its obligations pursuant to this Regulation. In such a case, it shall immediately inform the relevant market surveillance authority, as well as, where applicable, the relevant notified body, about the termination of the mandate and the reasons therefor. Article 23 Obligations of importers 1. Before placing a high-risk AI system on the market, importers shall ensure that the system is in conformity with this Regulation by verifying that: (a) the relevant conformity assessment procedure referred to in Article 43 has been carried out by the provider of the high-risk AI system; (b) the provider has drawn up the technical documentation in accordance with Article 11 and Annex IV; (c) the system bears the required CE marking and is accompanied by the EU declaration of conformity referred to in Article 47 and instructions for use; (d) the provider has appointed an authorised representative in accordance with Article 22(1). OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 65/144 2.
Show original text
According to Article 22(1), as published in OJ L on July 12, 2024, importers must not sell a high-risk AI system if they have good reason to believe it does not comply with regulations, is counterfeit, or has fake documents. They must ensure the system is compliant before placing it on the market. If the system poses a risk as defined in Article 79(1), the importer must notify the system provider, the authorized representative, and market surveillance authorities. Importers are required to display their name, registered trade name or trademark, and contact address on the high-risk AI system, its packaging, or accompanying documents, if applicable. They must also ensure that the storage or transport conditions of the AI system do not compromise its compliance with regulations while it is under their responsibility. Importers must keep a copy of the certificate from the notified body, the user instructions, and the EU declaration of conformity for 10 years after the AI system is sold or put into service. They must provide relevant authorities with all necessary information and documentation, including what is mentioned above, in a language that is easy for them to understand, upon a justified request. They should also ensure that the technical documentation is accessible to these authorities.
in accordance with Article 22(1). OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 65/144 2. Where an importer has sufficient reason to consider that a high-risk AI system is not in conformity with this Regulation, or is falsified, or accompanied by falsified documentation, it shall not place the system on the market until it has been brought into conformity. Where the high-risk AI system presents a risk within the meaning of Article 79(1), the importer shall inform the provider of the system, the authorised representative and the market surveillance authorities to that effect. 3. Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system and on its packaging or its accompanying documentation, where applicable. 4. Importers shall ensure that, while a high-risk AI system is under their responsibility, storage or transport conditions, where applicable, do not jeopardise its compliance with the requirements set out in Section 2. 5. Importers shall keep, for a period of 10 years after the high-risk AI system has been placed on the market or put into service, a copy of the certificate issued by the notified body, where applicable, of the instructions for use, and of the EU declaration of conformity referred to in Article 47. 6. Importers shall provide the relevant competent authorities, upon a reasoned request, with all the necessary information and documentation, including that referred to in paragraph 5, to demonstrate the conformity of a high-risk AI system with the requirements set out in Section 2 in a language which can be easily understood by them. For this purpose, they shall also ensure that the technical documentation can be made available to those authorities. 7.
Show original text
Importers of high-risk AI systems must provide clear information about the system's requirements as outlined in Section 2. They should also ensure that technical documentation is available to relevant authorities. Importers are required to cooperate with these authorities in any actions taken regarding the high-risk AI systems they bring to market, especially to help reduce any associated risks. Distributors have specific obligations before selling high-risk AI systems. They must check that the system has the necessary CE marking, includes a copy of the EU declaration of conformity mentioned in Article 47, and comes with user instructions. They also need to confirm that the provider and importer have met their obligations as stated in Article 16, points (b) and (c), and Article 23(3). If a distributor believes that a high-risk AI system does not meet the required standards, they must not sell it until it complies. If the system poses a risk as defined in Article 79(1), the distributor must notify the provider or importer. Additionally, distributors must ensure that the storage and transport conditions of the high-risk AI system do not compromise its compliance with the requirements in Section 2.
of a high-risk AI system with the requirements set out in Section 2 in a language which can be easily understood by them. For this purpose, they shall also ensure that the technical documentation can be made available to those authorities. 7. Importers shall cooperate with the relevant competent authorities in any action those authorities take in relation to a high-risk AI system placed on the market by the importers, in particular to reduce and mitigate the risks posed by it. Article 24 Obligations of distributors 1. Before making a high-risk AI system available on the market, distributors shall verify that it bears the required CE marking, that it is accompanied by a copy of the EU declaration of conformity referred to in Article 47 and instructions for use, and that the provider and the importer of that system, as applicable, have complied with their respective obligations as laid down in Article 16, points (b) and (c) and Article 23(3). 2. Where a distributor considers or has reason to consider, on the basis of the information in its possession, that a high-risk AI system is not in conformity with the requirements set out in Section 2, it shall not make the high-risk AI system available on the market until the system has been brought into conformity with those requirements. Furthermore, where the high-risk AI system presents a risk within the meaning of Article 79(1), the distributor shall inform the provider or the importer of the system, as applicable, to that effect. 3. Distributors shall ensure that, while a high-risk AI system is under their responsibility, storage or transport conditions, where applicable, do not jeopardise the compliance of the system with the requirements set out in Section 2. 4.
Show original text
3. Distributors must ensure that the storage and transport conditions of high-risk AI systems do not compromise their compliance with the requirements outlined in Section 2. 4. If a distributor believes that a high-risk AI system they have made available is not compliant with Section 2, they must take necessary corrective actions to ensure compliance, withdraw the system, or recall it. They should also ensure that the provider, importer, or relevant operator takes these actions. If the system poses a risk as defined in Article 79(1), the distributor must immediately inform the provider or importer and the relevant authorities, detailing the non-compliance and any corrective actions taken. 5. Distributors must provide any requested information and documentation to relevant authorities to demonstrate compliance with Section 2. 6. Distributors are required to cooperate with relevant authorities in any actions they take regarding high-risk AI systems they have made available, especially to reduce or mitigate risks.
3. Distributors shall ensure that, while a high-risk AI system is under their responsibility, storage or transport conditions, where applicable, do not jeopardise the compliance of the system with the requirements set out in Section 2. 4. A distributor that considers or has reason to consider, on the basis of the information in its possession, a high-risk AI system which it has made available on the market not to be in conformity with the requirements set out in Section 2, shall take the corrective actions necessary to bring that system into conformity with those requirements, to withdraw it or recall it, or shall ensure that the provider, the importer or any relevant operator, as appropriate, takes those corrective actions. Where the high-risk AI system presents a risk within the meaning of Article 79(1), the distributor shall immediately inform the provider or importer of the system and the authorities competent for the high-risk AI system concerned, giving details, in particular, of the non-compliance and of any corrective actions taken. 5. Upon a reasoned request from a relevant competent authority, distributors of a high-risk AI system shall provide that authority with all the information and documentation regarding their actions pursuant to paragraphs 1 to 4 necessary to demonstrate the conformity of that system with the requirements set out in Section 2. 6. Distributors shall cooperate with the relevant competent authorities in any action those authorities take in relation to a high-risk AI system made available on the market by the distributors, in particular to reduce or mitigate the risk posed by it. EN OJ L, 12.7.2024 66/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 25 Responsibilities along the AI value chain 1.
Show original text
On July 12, 2024, the European Regulation (ELI: http://data.europa.eu/eli/reg/2024/1689/oj) outlines responsibilities for those involved in high-risk AI systems. According to Article 25, any distributor, importer, deployer, or third party is considered a provider of a high-risk AI system if: (a) they label a high-risk AI system with their name or trademark, regardless of any contractual agreements; (b) they make significant changes to an existing high-risk AI system; or (c) they change the purpose of a non-high-risk AI system, making it high-risk. In such cases, the original provider of the AI system is no longer seen as the provider under this regulation. The original provider must work closely with the new providers and share necessary information and technical support to ensure compliance with the regulations for high-risk AI systems.
J L, 12.7.2024 66/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 25 Responsibilities along the AI value chain 1. Any distributor, importer, deployer or other third-party shall be considered to be a provider of a high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances: (a) they put their name or trademark on a high-risk AI system already placed on the market or put into service, without prejudice to contractual arrangements stipulating that the obligations are otherwise allocated; (b) they make a substantial modification to a high-risk AI system that has already been placed on the market or has already been put into service in such a way that it remains a high-risk AI system pursuant to Article 6; (c) they modify the intended purpose of an AI system, including a general-purpose AI system, which has not been classified as high-risk and has already been placed on the market or put into service in such a way that the AI system concerned becomes a high-risk AI system in accordance with Article 6. 2. Where the circumstances referred to in paragraph 1 occur, the provider that initially placed the AI system on the market or put it into service shall no longer be considered to be a provider of that specific AI system for the purposes of this Regulation. That initial provider shall closely cooperate with new providers and shall make available the necessary information and provide the reasonably expected technical access and other assistance that are required for the fulfilment of the obligations set out in this Regulation, in particular regarding the compliance with the conformity assessment of high-risk AI systems.
Show original text
The necessary information and technical support must be provided to meet the requirements of this Regulation, especially for ensuring that high-risk AI systems comply with conformity assessments. However, this does not apply if the original provider has clearly stated that their AI system should not be classified as high-risk and therefore does not need to share documentation. For high-risk AI systems that are safety components of products covered by EU regulations listed in Section A of Annex I, the product manufacturer will be considered the provider of the high-risk AI system and must follow the obligations in Article 16 if: (a) the high-risk AI system is marketed with the product under the manufacturer's name or trademark; (b) the high-risk AI system is used under the manufacturer's name or trademark after the product has been sold. The provider of a high-risk AI system and any third party supplying AI systems, tools, services, components, or processes used in the high-risk AI system must agree in writing on the necessary information, capabilities, technical access, and support needed to ensure compliance with this Regulation. This requirement does not apply to third parties offering tools, services, processes, or components to the public under a free and open-source license, except for general-purpose AI models.
shall make available the necessary information and provide the reasonably expected technical access and other assistance that are required for the fulfilment of the obligations set out in this Regulation, in particular regarding the compliance with the conformity assessment of high-risk AI systems. This paragraph shall not apply in cases where the initial provider has clearly specified that its AI system is not to be changed into a high-risk AI system and therefore does not fall under the obligation to hand over the documentation. 3. In the case of high-risk AI systems that are safety components of products covered by the Union harmonisation legislation listed in Section A of Annex I, the product manufacturer shall be considered to be the provider of the high-risk AI system, and shall be subject to the obligations under Article 16 under either of the following circumstances: (a) the high-risk AI system is placed on the market together with the product under the name or trademark of the product manufacturer; (b) the high-risk AI system is put into service under the name or trademark of the product manufacturer after the product has been placed on the market. 4. The provider of a high-risk AI system and the third party that supplies an AI system, tools, services, components, or processes that are used or integrated in a high-risk AI system shall, by written agreement, specify the necessary information, capabilities, technical access and other assistance based on the generally acknowledged state of the art, in order to enable the provider of the high-risk AI system to fully comply with the obligations set out in this Regulation. This paragraph shall not apply to third parties making accessible to the public tools, services, processes, or components, other than general-purpose AI models, under a free and open-source licence.
Show original text
All parties must fully comply with the requirements outlined in this Regulation. However, this does not apply to third parties that provide public access to tools, services, processes, or components, except for general-purpose AI models, under a free and open-source license. The AI Office may create and suggest optional contract terms for agreements between providers of high-risk AI systems and third parties that offer tools, services, components, or processes used in these systems. While developing these optional terms, the AI Office will consider specific contractual needs relevant to different sectors or business cases. These terms will be published and made available for free in an easy-to-use electronic format. Additionally, the requirements in paragraphs 2 and 3 do not affect the need to respect and protect intellectual property rights, confidential business information, and trade secrets according to Union and national laws. Article 26: Responsibilities of High-Risk AI System Deployers 1. Deployers of high-risk AI systems must implement suitable technical and organizational measures to ensure the systems are used according to the provided instructions. 2. Deployers must designate qualified individuals to oversee the systems, ensuring they have the necessary skills, training, authority, and support. 3. The obligations in paragraphs 1 and 2 do not interfere with other legal responsibilities of deployers under Union or national law, nor do they limit the deployer's ability to manage their resources and activities to fulfill the oversight requirements set by the provider.
fully comply with the obligations set out in this Regulation. This paragraph shall not apply to third parties making accessible to the public tools, services, processes, or components, other than general-purpose AI models, under a free and open-source licence. The AI Office may develop and recommend voluntary model terms for contracts between providers of high-risk AI systems and third parties that supply tools, services, components or processes that are used for or integrated into high-risk AI systems. When developing those voluntary model terms, the AI Office shall take into account possible contractual requirements applicable in specific sectors or business cases. The voluntary model terms shall be published and be available free of charge in an easily usable electronic format. 5. Paragraphs 2 and 3 are without prejudice to the need to observe and protect intellectual property rights, confidential business information and trade secrets in accordance with Union and national law. Article 26 Obligations of deployers of high-risk AI systems 1. Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems, pursuant to paragraphs 3 and 6. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 67/144 2. Deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support. 3. The obligations set out in paragraphs 1 and 2, are without prejudice to other deployer obligations under Union or national law and to the deployer’s freedom to organise its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider. 4.
Show original text
Paragraphs 1 and 2 do not affect other obligations that deployers have under European or national law, nor do they limit the deployer's ability to manage their own resources and activities to implement the human oversight measures specified by the provider. Paragraph 4 states that if the deployer controls the input data, they must ensure that this data is relevant and adequately represents the intended purpose of the high-risk AI system. Paragraph 5 requires deployers to monitor the operation of the high-risk AI system according to the provided instructions. If they believe that using the system as instructed could pose a risk, they must promptly inform the provider or distributor and the relevant market surveillance authority, and suspend the system's use. In case of a serious incident, they must immediately notify the provider, followed by the importer or distributor and the relevant authorities. If the deployer cannot contact the provider, Article 73 applies accordingly. This obligation does not include sensitive operational data from AI system deployers that are law enforcement authorities. For deployers that are financial institutions, compliance with internal governance rules under European financial services law will satisfy the monitoring obligation outlined in the first part of this paragraph.
1 and 2, are without prejudice to other deployer obligations under Union or national law and to the deployer’s freedom to organise its own resources and activities for the purpose of implementing the human oversight measures indicated by the provider. 4. Without prejudice to paragraphs 1 and 2, to the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the high-risk AI system. 5. Deployers shall monitor the operation of the high-risk AI system on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72. Where deployers have reason to consider that the use of the high-risk AI system in accordance with the instructions may result in that AI system presenting a risk within the meaning of Article 79(1), they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system. Where deployers have identified a serious incident, they shall also immediately inform first the provider, and then the importer or distributor and the relevant market surveillance authorities of that incident. If the deployer is not able to reach the provider, Article 73 shall apply mutatis mutandis. This obligation shall not cover sensitive operational data of deployers of AI systems which are law enforcement authorities. For deployers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law, the monitoring obligation set out in the first subparagraph shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to the relevant financial service law. 6.
Show original text
Under Union financial services law, if a deployer of high-risk AI systems follows the internal governance rules, they meet their monitoring obligations. Deployers must keep logs generated by their high-risk AI systems for at least six months, unless different rules apply under Union or national law, especially regarding personal data protection. Financial institutions must include these logs in their required documentation. Before using a high-risk AI system at work, employers must inform workers and their representatives about its use, following relevant Union and national laws. Public authorities and Union institutions must register their high-risk AI systems as stated in Article 49. If they find that a system is not registered in the EU database mentioned in Article 71, they cannot use it and must notify the provider or distributor.
or processes under Union financial services law, the monitoring obligation set out in the first subparagraph shall be deemed to be fulfilled by complying with the rules on internal governance arrangements, processes and mechanisms pursuant to the relevant financial service law. 6. Deployers of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data. Deployers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law shall maintain the logs as part of the documentation kept pursuant to the relevant Union financial service law. 7. Before putting into service or using a high-risk AI system at the workplace, deployers who are employers shall inform workers’ representatives and the affected workers that they will be subject to the use of the high-risk AI system. This information shall be provided, where applicable, in accordance with the rules and procedures laid down in Union and national law and practice on information of workers and their representatives. 8. Deployers of high-risk AI systems that are public authorities, or Union institutions, bodies, offices or agencies shall comply with the registration obligations referred to in Article 49. When such deployers find that the high-risk AI system that they envisage using has not been registered in the EU database referred to in Article 71, they shall not use that system and shall inform the provider or the distributor. 9.
Show original text
If deployers discover that a high-risk AI system they plan to use is not registered in the EU database mentioned in Article 71, they must not use that system and must inform the provider or distributor. Deployers of high-risk AI systems should also use the information from Article 13 of this Regulation to fulfill their requirement to conduct a data protection impact assessment as outlined in Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680. Additionally, when investigating a person suspected or convicted of a crime, the deployer of a high-risk AI system for remote biometric identification must obtain prior authorization from a judicial or administrative authority within 48 hours for using that system. This is not required if the system is used for the initial identification of a potential suspect based on clear and verifiable evidence related to the crime. Each use of the system must be strictly necessary for investigating a specific crime. If the requested authorization is denied, the use of the biometric identification system must stop immediately, and any personal data related to that use must be deleted.
When such deployers find that the high-risk AI system that they envisage using has not been registered in the EU database referred to in Article 71, they shall not use that system and shall inform the provider or the distributor. 9. Where applicable, deployers of high-risk AI systems shall use the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680. 10. Without prejudice to Directive (EU) 2016/680, in the framework of an investigation for the targeted search of a person suspected or convicted of having committed a criminal offence, the deployer of a high-risk AI system for post-remote biometric identification shall request an authorisation, ex ante, or without undue delay and no later than 48 hours, by a judicial authority or an administrative authority whose decision is binding and subject to judicial review, for the use of that system, except when it is used for the initial identification of a potential suspect based on objective and verifiable facts directly linked to the offence. Each use shall be limited to what is strictly necessary for the investigation of a specific criminal offence. If the authorisation requested pursuant to the first subparagraph is rejected, the use of the post-remote biometric identification system linked to that requested authorisation shall be stopped with immediate effect and the personal data linked to the use of the high-risk AI system for which the authorisation was requested shall be deleted. EN OJ L, 12.7.
Show original text
The system linked to the requested authorization will be stopped immediately, and any personal data related to the high-risk AI system for which the authorization was requested will be deleted. High-risk AI systems for post-remote biometric identification cannot be used for law enforcement in a general manner, meaning they cannot be used without a connection to a specific crime, ongoing legal case, a real and immediate threat of a crime, or the search for a specific missing person. Law enforcement authorities cannot make decisions that negatively affect individuals based solely on the results from these biometric identification systems. This is in accordance with Article 9 of Regulation (EU) 2016/679 and Article 10 of Directive (EU) 2016/680 regarding the processing of biometric data. Every use of these high-risk AI systems must be documented in the relevant police files and made available to the appropriate market surveillance and national data protection authorities upon request, while protecting sensitive operational data related to law enforcement. This does not affect the powers granted to supervisory authorities by Directive (EU) 2016/680. Deployers of these systems must submit annual reports to the relevant authorities about their use of post-remote biometric identification systems, excluding sensitive operational data. These reports can cover multiple deployments. Member States can establish stricter laws regarding the use of post-remote biometric identification systems, in line with Union law.
system linked to that requested authorisation shall be stopped with immediate effect and the personal data linked to the use of the high-risk AI system for which the authorisation was requested shall be deleted. EN OJ L, 12.7.2024 68/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj In no case shall such high-risk AI system for post-remote biometric identification be used for law enforcement purposes in an untargeted way, without any link to a criminal offence, a criminal proceeding, a genuine and present or genuine and foreseeable threat of a criminal offence, or the search for a specific missing person. It shall be ensured that no decision that produces an adverse legal effect on a person may be taken by the law enforcement authorities based solely on the output of such post-remote biometric identification systems. This paragraph is without prejudice to Article 9 of Regulation (EU) 2016/679 and Article 10 of Directive (EU) 2016/680 for the processing of biometric data. Regardless of the purpose or deployer, each use of such high-risk AI systems shall be documented in the relevant police file and shall be made available to the relevant market surveillance authority and the national data protection authority upon request, excluding the disclosure of sensitive operational data related to law enforcement. This subparagraph shall be without prejudice to the powers conferred by Directive (EU) 2016/680 on supervisory authorities. Deployers shall submit annual reports to the relevant market surveillance and national data protection authorities on their use of post-remote biometric identification systems, excluding the disclosure of sensitive operational data related to law enforcement. The reports may be aggregated to cover more than one deployment. Member States may introduce, in accordance with Union law, more restrictive laws on the use of post-remote biometric identification systems. 11.
Show original text
This text discusses operational data related to law enforcement and the use of high-risk AI systems. Member States can create stricter laws regarding post-remote biometric identification systems as allowed by Union law. Deployers of high-risk AI systems, as listed in Annex III, must inform individuals when these systems are used to make decisions about them. For AI systems used in law enforcement, Article 13 of Directive (EU) 2016/680 applies. Deployers must also cooperate with relevant authorities regarding the implementation of this regulation. Before deploying a high-risk AI system, except for those specified in point 2 of Annex III, public bodies and private entities providing public services must assess the impact on fundamental rights. This assessment should include: (a) a description of how the AI system will be used; (b) the intended duration and frequency of its use; (c) the categories of individuals likely to be affected; and (d) the specific risks of harm that may impact these individuals.
operational data related to law enforcement. The reports may be aggregated to cover more than one deployment. Member States may introduce, in accordance with Union law, more restrictive laws on the use of post-remote biometric identification systems. 11. Without prejudice to Article 50 of this Regulation, deployers of high-risk AI systems referred to in Annex III that make decisions or assist in making decisions related to natural persons shall inform the natural persons that they are subject to the use of the high-risk AI system. For high-risk AI systems used for law enforcement purposes Article 13 of Directive (EU) 2016/680 shall apply. 12. Deployers shall cooperate with the relevant competent authorities in any action those authorities take in relation to the high-risk AI system in order to implement this Regulation. Article 27 Fundamental rights impact assessment for high-risk AI systems 1. Prior to deploying a high-risk AI system referred to in Article 6(2), with the exception of high-risk AI systems intended to be used in the area listed in point 2 of Annex III, deployers that are bodies governed by public law, or are private entities providing public services, and deployers of high-risk AI systems referred to in points 5 (b) and (c) of Annex III, shall perform an assessment of the impact on fundamental rights that the use of such system may produce. For that purpose, deployers shall perform an assessment consisting of: (a) a description of the deployer’s processes in which the high-risk AI system will be used in line with its intended purpose; (b) a description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used; (c) the categories of natural persons and groups likely to be affected by its use in the specific context; (d) the specific risks of harm likely to have an impact on the categories of natural persons or
Show original text
The high-risk AI system must be used in a specific way, and the following information is required: (a) how the AI system is intended to be used; (b) the types of people and groups that may be affected by its use; (c) the specific risks of harm that could impact these people or groups, based on information provided by the supplier; (d) a description of how human oversight will be implemented according to the usage instructions; (e) the actions to take if these risks occur, including internal governance and complaint procedures. This requirement applies to the initial use of the high-risk AI system. The deployer can refer to previous assessments of fundamental rights or existing assessments from the provider in similar situations. If the deployer finds that any of the information has changed or is outdated during the use of the AI system, they must update it accordingly. After completing the assessment, the deployer must inform the market surveillance authority of the results by submitting a completed template as part of the notification. In certain cases, as mentioned in Article 46(1), deployers may not need to notify.
-risk AI system is intended to be used; (c) the categories of natural persons and groups likely to be affected by its use in the specific context; (d) the specific risks of harm likely to have an impact on the categories of natural persons or groups of persons identified pursuant to point (c) of this paragraph, taking into account the information given by the provider pursuant to Article 13; (e) a description of the implementation of human oversight measures, according to the instructions for use; (f) the measures to be taken in the case of the materialisation of those risks, including the arrangements for internal governance and complaint mechanisms. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 69/144 2. The obligation laid down in paragraph 1 applies to the first use of the high-risk AI system. The deployer may, in similar cases, rely on previously conducted fundamental rights impact assessments or existing impact assessments carried out by provider. If, during the use of the high-risk AI system, the deployer considers that any of the elements listed in paragraph 1 has changed or is no longer up to date, the deployer shall take the necessary steps to update the information. 3. Once the assessment referred to in paragraph 1 of this Article has been performed, the deployer shall notify the market surveillance authority of its results, submitting the filled-out template referred to in paragraph 5 of this Article as part of the notification. In the case referred to in Article 46(1), deployers may be exempt from that obligation to notify. 4.
Show original text
Deployers must submit a completed template mentioned in paragraph 5 of this Article as part of their notification. However, as stated in Article 46(1), some deployers may not need to notify. If any obligations in this Article are already fulfilled by a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, the fundamental rights impact assessment in paragraph 1 will add to that data protection assessment. The AI Office will create a questionnaire template, possibly using an automated tool, to help deployers meet their obligations more easily. SECTION 4 Notifying Authorities and Notified Bodies Article 28 Notifying Authorities 1. Each Member State must appoint at least one notifying authority to manage the procedures for assessing, designating, and notifying conformity assessment bodies, as well as monitoring them. These procedures will be developed in collaboration with notifying authorities from all Member States. 2. Member States can choose to have a national accreditation body, as defined by Regulation (EC) No 765/2008, conduct the assessment and monitoring mentioned in paragraph 1. 3. Notifying authorities must be structured and operated to avoid conflicts of interest with conformity assessment bodies, ensuring their activities remain objective and impartial. 4. Decisions about notifying conformity assessment bodies must be made by qualified individuals who did not conduct the assessments of those bodies.
of its results, submitting the filled-out template referred to in paragraph 5 of this Article as part of the notification. In the case referred to in Article 46(1), deployers may be exempt from that obligation to notify. 4. If any of the obligations laid down in this Article is already met through the data protection impact assessment conducted pursuant to Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment. 5. The AI Office shall develop a template for a questionnaire, including through an automated tool, to facilitate deployers in complying with their obligations under this Article in a simplified manner. SECTION 4 Notifying authorities and notified bodies Article 28 Notifying authorities 1. Each Member State shall designate or establish at least one notifying authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring. Those procedures shall be developed in cooperation between the notifying authorities of all Member States. 2. Member States may decide that the assessment and monitoring referred to in paragraph 1 is to be carried out by a national accreditation body within the meaning of, and in accordance with, Regulation (EC) No 765/2008. 3. Notifying authorities shall be established, organised and operated in such a way that no conflict of interest arises with conformity assessment bodies, and that the objectivity and impartiality of their activities are safeguarded. 4. Notifying authorities shall be organised in such a way that decisions relating to the notification of conformity assessment bodies are taken by competent persons different from those who carried out the assessment of those bodies. 5.
Show original text
1. Notifying authorities must ensure that their activities are protected. 2. Decisions about notifying conformity assessment bodies must be made by different qualified individuals than those who conducted the assessments. 3. Notifying authorities cannot provide any services that conformity assessment bodies offer, nor can they offer consultancy services for profit. 4. They must keep all information confidential, as stated in Article 78. 5. Notifying authorities should have enough qualified staff to perform their duties effectively. This staff should have the necessary expertise in areas like information technology, AI, and law, including oversight of fundamental rights. 6. Conformity assessment bodies must apply for notification to the notifying authority in their Member State. 7. The application must include a description of their assessment activities, the relevant conformity assessment modules, the types of AI systems they are qualified to assess, and an accreditation certificate from a national body, if available. 8. Any valid documents related to the applicant's existing designations under other EU regulations must also be included.
ity of their activities are safeguarded. 4. Notifying authorities shall be organised in such a way that decisions relating to the notification of conformity assessment bodies are taken by competent persons different from those who carried out the assessment of those bodies. 5. Notifying authorities shall offer or provide neither any activities that conformity assessment bodies perform, nor any consultancy services on a commercial or competitive basis. 6. Notifying authorities shall safeguard the confidentiality of the information that they obtain, in accordance with Article 78. 7. Notifying authorities shall have an adequate number of competent personnel at their disposal for the proper performance of their tasks. Competent personnel shall have the necessary expertise, where applicable, for their function, in fields such as information technologies, AI and law, including the supervision of fundamental rights. Article 29 Application of a conformity assessment body for notification 1. Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established. EN OJ L, 12.7.2024 70/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 2. The application for notification shall be accompanied by a description of the conformity assessment activities, the conformity assessment module or modules and the types of AI systems for which the conformity assessment body claims to be competent, as well as by an accreditation certificate, where one exists, issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 31. Any valid document related to existing designations of the applicant notified body under any other Union harmonisation legislation shall be added. 3.
Show original text
An accreditation body confirms that a conformity assessment body meets the requirements outlined in Article 31. Any valid documents related to the applicant's existing designations under other EU harmonization laws must be included. If the conformity assessment body cannot provide an accreditation certificate, it must supply the notifying authority with all necessary documents to verify and monitor its compliance with Article 31. For notified bodies designated under other EU harmonization laws, all related documents and certificates can support their designation process under this regulation. The notified body must update the documentation whenever relevant changes occur to help the authority monitor ongoing compliance with Article 31. Article 30 Notification Procedure: 1. Notifying authorities can only notify conformity assessment bodies that meet the requirements of Article 31. 2. They must notify the Commission and other Member States using the Commission's electronic notification tool for each conformity assessment body mentioned in paragraph 1. 3. The notification must include detailed information about the conformity assessment activities, the relevant modules, the types of AI systems involved, and proof of competence. If the notification does not rely on an accreditation certificate as stated in Article 29(2), the notifying authority must provide evidence of the conformity assessment body's competence and the measures in place for regular monitoring to ensure ongoing compliance with Article 31.
accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 31. Any valid document related to existing designations of the applicant notified body under any other Union harmonisation legislation shall be added. 3. Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with all the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 31. 4. For notified bodies which are designated under any other Union harmonisation legislation, all documents and certificates linked to those designations may be used to support their designation procedure under this Regulation, as appropriate. The notified body shall update the documentation referred to in paragraphs 2 and 3 of this Article whenever relevant changes occur, in order to enable the authority responsible for notified bodies to monitor and verify continuous compliance with all the requirements laid down in Article 31. Article 30 Notification procedure 1. Notifying authorities may notify only conformity assessment bodies which have satisfied the requirements laid down in Article 31. 2. Notifying authorities shall notify the Commission and the other Member States, using the electronic notification tool developed and managed by the Commission, of each conformity assessment body referred to in paragraph 1. 3. The notification referred to in paragraph 2 of this Article shall include full details of the conformity assessment activities, the conformity assessment module or modules, the types of AI systems concerned, and the relevant attestation of competence. Where a notification is not based on an accreditation certificate as referred to in Article 29(2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the competence of the conformity assessment body and to the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 31. 4.
Show original text
States must provide documentation that shows the competence of the conformity assessment body and the measures in place for its regular monitoring to ensure it meets the requirements outlined in Article 31. The conformity assessment body can only act as a notified body if there are no objections from the Commission or other Member States within two weeks of a notification that includes an accreditation certificate (as per Article 29(2)), or within two months if it includes other required documentation (as per Article 29(3)). If objections are raised, the Commission will promptly consult with the relevant Member States and the conformity assessment body to determine if the authorization is warranted. The Commission will communicate its decision to the concerned Member State and the relevant conformity assessment body. According to Article 31, a notified body must be established under the national law of a Member State and have legal personality. It must meet specific organizational, quality management, resource, and process requirements, including cybersecurity standards. The structure and operations of notified bodies should inspire confidence in their performance and the results of their conformity assessments. Additionally, notified bodies must operate independently from the providers of high-risk AI systems for which they conduct assessments.
States with documentary evidence which attests to the competence of the conformity assessment body and to the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 31. 4. The conformity assessment body concerned may perform the activities of a notified body only where no objections are raised by the Commission or the other Member States within two weeks of a notification by a notifying authority where it includes an accreditation certificate referred to in Article 29(2), or within two months of a notification by the notifying authority where it includes documentary evidence referred to in Article 29(3). 5. Where objections are raised, the Commission shall, without delay, enter into consultations with the relevant Member States and the conformity assessment body. In view thereof, the Commission shall decide whether the authorisation is justified. The Commission shall address its decision to the Member State concerned and to the relevant conformity assessment body. Article 31 Requirements relating to notified bodies 1. A notified body shall be established under the national law of a Member State and shall have legal personality. 2. Notified bodies shall satisfy the organisational, quality management, resources and process requirements that are necessary to fulfil their tasks, as well as suitable cybersecurity requirements. 3. The organisational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall ensure confidence in their performance, and in the results of the conformity assessment activities that the notified bodies conduct. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 71/144 4. Notified bodies shall be independent of the provider of a high-risk AI system in relation to which they perform conformity assessment activities.
Show original text
Notified bodies must be independent from the providers of high-risk AI systems when conducting conformity assessments. They should also be free from any economic interests related to these systems and from competitors of the providers. However, they can use high-risk AI systems necessary for their operations or for personal use. The management and staff of a conformity assessment body must not be involved in designing, developing, marketing, or using high-risk AI systems, nor should they represent those who are. They must avoid any activities that could compromise their independence or integrity in conformity assessments, especially consultancy services. Notified bodies must be structured and operated to ensure their independence, objectivity, and impartiality. They need to have documented procedures to maintain impartiality and promote these principles within their organization and assessment activities. Additionally, notified bodies must have procedures to ensure that their personnel and associated bodies keep confidential any information they acquire during conformity assessments, unless disclosure is legally required.
data.europa.eu/eli/reg/2024/1689/oj 71/144 4. Notified bodies shall be independent of the provider of a high-risk AI system in relation to which they perform conformity assessment activities. Notified bodies shall also be independent of any other operator having an economic interest in high-risk AI systems assessed, as well as of any competitors of the provider. This shall not preclude the use of assessed high-risk AI systems that are necessary for the operations of the conformity assessment body, or the use of such high-risk AI systems for personal purposes. 5. Neither a conformity assessment body, its top-level management nor the personnel responsible for carrying out its conformity assessment tasks shall be directly involved in the design, development, marketing or use of high-risk AI systems, nor shall they represent the parties engaged in those activities. They shall not engage in any activity that might conflict with their independence of judgement or integrity in relation to conformity assessment activities for which they are notified. This shall, in particular, apply to consultancy services. 6. Notified bodies shall be organised and operated so as to safeguard the independence, objectivity and impartiality of their activities. Notified bodies shall document and implement a structure and procedures to safeguard impartiality and to promote and apply the principles of impartiality throughout their organisation, personnel and assessment activities. 7. Notified bodies shall have documented procedures in place ensuring that their personnel, committees, subsidiaries, subcontractors and any associated body or personnel of external bodies maintain, in accordance with Article 78, the confidentiality of the information which comes into their possession during the performance of conformity assessment activities, except when its disclosure is required by law.
Show original text
Notified bodies and their staff must keep all information confidential that they receive while performing conformity assessment activities, as stated in Article 78. They can only disclose this information if required by law. Staff members are required to maintain professional secrecy regarding all information obtained during their work, except when communicating with the notifying authorities of their Member State. Notified bodies must have procedures that consider the size, sector, structure, and complexity of the AI systems they assess. They are also required to have appropriate liability insurance for their conformity assessment activities, unless the Member State assumes this liability according to national law or is directly responsible for the assessment. Notified bodies must perform their tasks with high professional integrity and the necessary expertise, whether they carry out these tasks themselves or through external parties. They should have enough internal expertise to effectively evaluate the work done by external parties on their behalf. This includes having a sufficient number of administrative, technical, legal, and scientific personnel with experience in relevant AI systems and data requirements. Additionally, notified bodies must participate in coordination activities as outlined in Article 38 and engage with European standardization organizations to stay informed about relevant standards.
ors and any associated body or personnel of external bodies maintain, in accordance with Article 78, the confidentiality of the information which comes into their possession during the performance of conformity assessment activities, except when its disclosure is required by law. The staff of notified bodies shall be bound to observe professional secrecy with regard to all information obtained in carrying out their tasks under this Regulation, except in relation to the notifying authorities of the Member State in which their activities are carried out. 8. Notified bodies shall have procedures for the performance of activities which take due account of the size of a provider, the sector in which it operates, its structure, and the degree of complexity of the AI system concerned. 9. Notified bodies shall take out appropriate liability insurance for their conformity assessment activities, unless liability is assumed by the Member State in which they are established in accordance with national law or that Member State is itself directly responsible for the conformity assessment. 10. Notified bodies shall be capable of carrying out all their tasks under this Regulation with the highest degree of professional integrity and the requisite competence in the specific field, whether those tasks are carried out by notified bodies themselves or on their behalf and under their responsibility. 11. Notified bodies shall have sufficient internal competences to be able effectively to evaluate the tasks conducted by external parties on their behalf. The notified body shall have permanent availability of sufficient administrative, technical, legal and scientific personnel who possess experience and knowledge relating to the relevant types of AI systems, data and data computing, and relating to the requirements set out in Section 2. 12. Notified bodies shall participate in coordination activities as referred to in Article 38. They shall also take part directly, or be represented in, European standardisation organisations, or ensure that they are aware and up to date in respect of relevant standards.
Show original text
Bodies involved must participate in coordination activities as mentioned in Article 38. They should also engage directly or be represented in European standardization organizations, ensuring they stay informed about relevant standards. **Article 32** **Assumption of Compliance for Notified Bodies** If a conformity assessment body shows that it meets the criteria in the relevant harmonized standards published in the Official Journal of the European Union, it is assumed to comply with the requirements in Article 31, as long as those standards cover those requirements. **Article 33** **Subsidiaries and Subcontracting of Notified Bodies** 1. If a notified body subcontracts tasks related to conformity assessment or uses a subsidiary, it must ensure that the subcontractor or subsidiary meets the requirements in Article 31 and must inform the notifying authority. 2. Notified bodies are fully responsible for the work done by any subcontractors or subsidiaries. 3. Subcontracting or using a subsidiary can only happen with the provider's agreement. Notified bodies must publicly list their subsidiaries. 4. Documents related to the qualifications of subcontractors or subsidiaries and their work under this regulation must be kept available for the notifying authority for five years after the subcontracting ends. **Article 34** **Operational Responsibilities of Notified Bodies** 1. Notified bodies must verify the compliance of high-risk AI systems according to the procedures outlined in Article 43.
bodies shall participate in coordination activities as referred to in Article 38. They shall also take part directly, or be represented in, European standardisation organisations, or ensure that they are aware and up to date in respect of relevant standards. Article 32 Presumption of conformity with requirements relating to notified bodies Where a conformity assessment body demonstrates its conformity with the criteria laid down in the relevant harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, it shall be presumed to comply with the requirements set out in Article 31 in so far as the applicable harmonised standards cover those requirements. EN OJ L, 12.7.2024 72/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 33 Subsidiaries of notified bodies and subcontracting 1. Where a notified body subcontracts specific tasks connected with the conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements laid down in Article 31, and shall inform the notifying authority accordingly. 2. Notified bodies shall take full responsibility for the tasks performed by any subcontractors or subsidiaries. 3. Activities may be subcontracted or carried out by a subsidiary only with the agreement of the provider. Notified bodies shall make a list of their subsidiaries publicly available. 4. The relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation shall be kept at the disposal of the notifying authority for a period of five years from the termination date of the subcontracting. Article 34 Operational obligations of notified bodies 1. Notified bodies shall verify the conformity of high-risk AI systems in accordance with the conformity assessment procedures set out in Article 43. 2.
Show original text
Termination date of the subcontracting. **Article 34: Responsibilities of Notified Bodies** 1. Notified bodies must check that high-risk AI systems meet the required standards as outlined in Article 43. 2. When carrying out their duties, notified bodies should avoid placing unnecessary burdens on providers. They should consider the provider's size, industry, structure, and the complexity of the high-risk AI system to reduce administrative and compliance costs, especially for micro and small enterprises as defined by Recommendation 2003/361/EC. However, they must still maintain the necessary rigor and protection standards for compliance with this Regulation. 3. Notified bodies are required to provide all relevant documentation, including that from providers, to the notifying authority mentioned in Article 28. This is to assist the authority in its assessment, designation, notification, and monitoring tasks. **Article 35: Identification Numbers and Lists of Notified Bodies** 1. The Commission will assign a unique identification number to each notified body, even if a body is notified under multiple EU regulations. 2. The Commission will publicly share a list of notified bodies under this Regulation, including their identification numbers and the activities they are authorized for, and will keep this list updated. **Article 36: Changes to Notifications** 1. The notifying authority must inform the Commission and other Member States of any significant changes to a notified body's status using the electronic notification tool mentioned in Article 30(2). 2. The procedures in Articles 29 and 30 will also apply to any extensions of the notification's scope.
termination date of the subcontracting. Article 34 Operational obligations of notified bodies 1. Notified bodies shall verify the conformity of high-risk AI systems in accordance with the conformity assessment procedures set out in Article 43. 2. Notified bodies shall avoid unnecessary burdens for providers when performing their activities, and take due account of the size of the provider, the sector in which it operates, its structure and the degree of complexity of the high-risk AI system concerned, in particular in view of minimising administrative burdens and compliance costs for micro- and small enterprises within the meaning of Recommendation 2003/361/EC. The notified body shall, nevertheless, respect the degree of rigour and the level of protection required for the compliance of the high-risk AI system with the requirements of this Regulation. 3. Notified bodies shall make available and submit upon request all relevant documentation, including the providers’ documentation, to the notifying authority referred to in Article 28 to allow that authority to conduct its assessment, designation, notification and monitoring activities, and to facilitate the assessment outlined in this Section. Article 35 Identification numbers and lists of notified bodies 1. The Commission shall assign a single identification number to each notified body, even where a body is notified under more than one Union act. 2. The Commission shall make publicly available the list of the bodies notified under this Regulation, including their identification numbers and the activities for which they have been notified. The Commission shall ensure that the list is kept up to date. Article 36 Changes to notifications 1. The notifying authority shall notify the Commission and the other Member States of any relevant changes to the notification of a notified body via the electronic notification tool referred to in Article 30(2). 2. The procedures laid down in Articles 29 and 30 shall apply to extensions of the scope of the notification.
Show original text
Notified bodies must report any relevant changes using the electronic notification tool mentioned in Article 30(2). The procedures in Articles 29 and 30 apply when extending the scope of a notification. For other changes, procedures in paragraphs (3) to (9) should be followed. If a notified body decides to stop its conformity assessment activities, it must notify the relevant authority and affected providers as soon as possible, and at least one year in advance if the cessation is planned. Certificates issued by the notified body can remain valid for up to nine months after it stops its activities, provided another notified body agrees in writing to take over responsibility for the high-risk AI systems covered by those certificates. This new notified body must complete a full assessment of the affected systems within nine months before issuing new certificates. If the notified body has ceased operations, the notifying authority will withdraw its designation. If a notifying authority believes that a notified body no longer meets the requirements in Article 31 or is not fulfilling its obligations, it must promptly investigate the issue. The authority should inform the notified body of the concerns raised and allow it to respond.
of any relevant changes to the notification of a notified body via the electronic notification tool referred to in Article 30(2). 2. The procedures laid down in Articles 29 and 30 shall apply to extensions of the scope of the notification. For changes to the notification other than extensions of its scope, the procedures laid down in paragraphs (3) to (9) shall apply. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 73/144 3. Where a notified body decides to cease its conformity assessment activities, it shall inform the notifying authority and the providers concerned as soon as possible and, in the case of a planned cessation, at least one year before ceasing its activities. The certificates of the notified body may remain valid for a period of nine months after cessation of the notified body’s activities, on condition that another notified body has confirmed in writing that it will assume responsibilities for the high-risk AI systems covered by those certificates. The latter notified body shall complete a full assessment of the high-risk AI systems affected by the end of that nine-month-period before issuing new certificates for those systems. Where the notified body has ceased its activity, the notifying authority shall withdraw the designation. 4. Where a notifying authority has sufficient reason to consider that a notified body no longer meets the requirements laid down in Article 31, or that it is failing to fulfil its obligations, the notifying authority shall without delay investigate the matter with the utmost diligence. In that context, it shall inform the notified body concerned about the objections raised and give it the possibility to make its views known.
Show original text
If a notified body is not meeting its obligations, the notifying authority must promptly investigate the issue. They will inform the notified body about the concerns raised and allow it to respond. If the notifying authority finds that the notified body no longer meets the requirements in Article 31 or is failing its obligations, they can restrict, suspend, or withdraw its designation based on the severity of the issue. They must immediately notify the Commission and other Member States. If a designation is suspended, restricted, or withdrawn, the notified body must inform the affected providers within 10 days. The notifying authority will also ensure that the notified body's files are maintained and accessible to other Member States' notifying authorities and market surveillance authorities upon request. When a designation is restricted, suspended, or withdrawn, the notifying authority will: (a) evaluate how this affects the certificates issued by the notified body; (b) report their findings to the Commission and other Member States within three months of notifying the changes; (c) require the notified body to suspend or withdraw any improperly issued certificates within a reasonable timeframe to ensure high-risk AI systems remain compliant; (d) inform the Commission and Member States about the certificates that have been suspended or withdrawn; (e) provide relevant information about the suspended or withdrawn certificates to the national authorities in the Member State where the provider is registered, so they can take appropriate action.
it is failing to fulfil its obligations, the notifying authority shall without delay investigate the matter with the utmost diligence. In that context, it shall inform the notified body concerned about the objections raised and give it the possibility to make its views known. If the notifying authority comes to the conclusion that the notified body no longer meets the requirements laid down in Article 31 or that it is failing to fulfil its obligations, it shall restrict, suspend or withdraw the designation as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations. It shall immediately inform the Commission and the other Member States accordingly. 5. Where its designation has been suspended, restricted, or fully or partially withdrawn, the notified body shall inform the providers concerned within 10 days. 6. In the event of the restriction, suspension or withdrawal of a designation, the notifying authority shall take appropriate steps to ensure that the files of the notified body concerned are kept, and to make them available to notifying authorities in other Member States and to market surveillance authorities at their request. 7. In the event of the restriction, suspension or withdrawal of a designation, the notifying authority shall: (a) assess the impact on the certificates issued by the notified body; (b) submit a report on its findings to the Commission and the other Member States within three months of having notified the changes to the designation; (c) require the notified body to suspend or withdraw, within a reasonable period of time determined by the authority, any certificates which were unduly issued, in order to ensure the continuing conformity of high-risk AI systems on the market; (d) inform the Commission and the Member States about certificates the suspension or withdrawal of which it has required; (e) provide the national competent authorities of the Member State in which the provider has its registered place of business with all relevant information about the certificates of which it has required the suspension or withdrawal; that authority shall take the appropriate measures,
Show original text
Providers must inform the national authorities in their Member State about any certificates they have suspended or withdrawn. These authorities will take necessary actions to prevent any risks to health, safety, or fundamental rights. Certificates will remain valid in the following situations, unless they were issued incorrectly or if a designation has been suspended or restricted: (a) If the notifying authority confirms within one month that there is no risk to health, safety, or fundamental rights related to the affected certificates and provides a timeline for resolving the suspension or restriction; or (b) If the notifying authority states that no new or amended certificates will be issued during the suspension and confirms whether the notified body can continue to monitor the existing certificates. If the notified body cannot support the existing certificates, the provider must inform the national authorities in writing within three months, stating that another qualified notified body will temporarily take over monitoring responsibilities during the suspension or restriction.
required; (e) provide the national competent authorities of the Member State in which the provider has its registered place of business with all relevant information about the certificates of which it has required the suspension or withdrawal; that authority shall take the appropriate measures, where necessary, to avoid a potential risk to health, safety or fundamental rights. 8. With the exception of certificates unduly issued, and where a designation has been suspended or restricted, the certificates shall remain valid in one of the following circumstances: (a) the notifying authority has confirmed, within one month of the suspension or restriction, that there is no risk to health, safety or fundamental rights in relation to certificates affected by the suspension or restriction, and the notifying authority has outlined a timeline for actions to remedy the suspension or restriction; or (b) the notifying authority has confirmed that no certificates relevant to the suspension will be issued, amended or re-issued during the course of the suspension or restriction, and states whether the notified body has the capability of continuing to monitor and remain responsible for existing certificates issued for the period of the suspension or restriction; in the event that the notifying authority determines that the notified body does not have the capability to support existing certificates issued, the provider of the system covered by the certificate shall confirm in writing to the national competent authorities of the Member State in which it has its registered place of business, within three months of the suspension or restriction, that another qualified notified body is temporarily assuming the functions of the notified body to monitor and remain responsible for the certificates during the period of suspension or restriction. EN OJ L, 12.7.2024 74/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 9.
Show original text
Certificates issued during a suspension or restriction period will remain valid for nine months, unless they were issued incorrectly or the designation has been withdrawn. This is valid under two conditions: (a) the national authority in the Member State where the high-risk AI system provider is based confirms there are no health, safety, or fundamental rights risks associated with the AI systems; and (b) another notified body agrees in writing to take immediate responsibility for those AI systems and completes its assessment within 12 months of the designation withdrawal. The national authority may extend the provisional validity of the certificates for additional three-month periods, up to a maximum of 12 months total. The national authority or the new notified body must promptly inform the Commission, other Member States, and other notified bodies about these changes. Article 37 addresses challenges to the competence of notified bodies: 1. The Commission will investigate any doubts regarding a notified body's competence or its ability to meet the requirements outlined in Article 31. 2. The notifying authority must provide the Commission with all relevant information about the notification or the competence of the notified body when requested.
certificates during the period of suspension or restriction. EN OJ L, 12.7.2024 74/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 9. With the exception of certificates unduly issued, and where a designation has been withdrawn, the certificates shall remain valid for a period of nine months under the following circumstances: (a) the national competent authority of the Member State in which the provider of the high-risk AI system covered by the certificate has its registered place of business has confirmed that there is no risk to health, safety or fundamental rights associated with the high-risk AI systems concerned; and (b) another notified body has confirmed in writing that it will assume immediate responsibility for those AI systems and completes its assessment within 12 months of the withdrawal of the designation. In the circumstances referred to in the first subparagraph, the national competent authority of the Member State in which the provider of the system covered by the certificate has its place of business may extend the provisional validity of the certificates for additional periods of three months, which shall not exceed 12 months in total. The national competent authority or the notified body assuming the functions of the notified body affected by the change of designation shall immediately inform the Commission, the other Member States and the other notified bodies thereof. Article 37 Challenge to the competence of notified bodies 1. The Commission shall, where necessary, investigate all cases where there are reasons to doubt the competence of a notified body or the continued fulfilment by a notified body of the requirements laid down in Article 31 and of its applicable responsibilities. 2. The notifying authority shall provide the Commission, on request, with all relevant information relating to the notification or the maintenance of the competence of the notified body concerned. 3.
Show original text
According to Article 31, the notifying authority must provide the Commission with any relevant information related to the notification or the ongoing qualifications of the notified body when requested. The Commission will keep all sensitive information obtained during its investigations confidential, as stated in Article 78. If the Commission finds that a notified body no longer meets the necessary requirements, it will inform the notifying Member State and ask for corrective actions, which may include suspending or withdrawing the notification. If the Member State does not take action, the Commission can suspend, restrict, or withdraw the designation through an implementing act, following the examination procedure in Article 98(2). Article 38 outlines the coordination of notified bodies. The Commission will ensure effective coordination and cooperation among notified bodies involved in assessing high-risk AI systems by forming a sectoral group. Each notifying authority must ensure that the bodies it has notified participate in this group, either directly or through representatives. The Commission will also facilitate the sharing of knowledge and best practices among notifying authorities.
laid down in Article 31 and of its applicable responsibilities. 2. The notifying authority shall provide the Commission, on request, with all relevant information relating to the notification or the maintenance of the competence of the notified body concerned. 3. The Commission shall ensure that all sensitive information obtained in the course of its investigations pursuant to this Article is treated confidentially in accordance with Article 78. 4. Where the Commission ascertains that a notified body does not meet or no longer meets the requirements for its notification, it shall inform the notifying Member State accordingly and request it to take the necessary corrective measures, including the suspension or withdrawal of the notification if necessary. Where the Member State fails to take the necessary corrective measures, the Commission may, by means of an implementing act, suspend, restrict or withdraw the designation. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2). Article 38 Coordination of notified bodies 1. The Commission shall ensure that, with regard to high-risk AI systems, appropriate coordination and cooperation between notified bodies active in the conformity assessment procedures pursuant to this Regulation are put in place and properly operated in the form of a sectoral group of notified bodies. 2. Each notifying authority shall ensure that the bodies notified by it participate in the work of a group referred to in paragraph 1, directly or through designated representatives. 3. The Commission shall provide for the exchange of knowledge and best practices between notifying authorities. OJ L, 12.7.
Show original text
The Commission will facilitate the sharing of knowledge and best practices among notifying authorities. Conformity assessment bodies from third countries that have agreements with the European Union can be authorized to perform the functions of notified bodies, as long as they meet the requirements specified in Article 31 or demonstrate an equivalent level of compliance. Article 40 discusses harmonized standards and standardization deliverables. High-risk AI systems or general-purpose AI models that comply with harmonized standards published in the Official Journal of the European Union are presumed to meet the requirements outlined in Section 2 of this Chapter, as well as the obligations in Chapter V, Sections 2 and 3 of this Regulation, provided those standards address those requirements. The Commission will promptly issue standardization requests for all requirements in Section 2 and, if applicable, for obligations in Chapter V, Sections 2 and 3.
by it participate in the work of a group referred to in paragraph 1, directly or through designated representatives. 3. The Commission shall provide for the exchange of knowledge and best practices between notifying authorities. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 75/144 Article 39 Conformity assessment bodies of third countries Conformity assessment bodies established under the law of a third country with which the Union has concluded an agreement may be authorised to carry out the activities of notified bodies under this Regulation, provided that they meet the requirements laid down in Article 31 or they ensure an equivalent level of compliance. SECTION 5 Standards, conformity assessment, certificates, registration Article 40 Harmonised standards and standardisation deliverables 1. High-risk AI systems or general-purpose AI models which are in conformity with harmonised standards or parts thereof the references of which have been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012 shall be presumed to be in conformity with the requirements set out in Section 2 of this Chapter or, as applicable, with the obligations set out in of Chapter V, Sections 2 and 3, of this Regulation, to the extent that those standards cover those requirements or obligations. 2. In accordance with Article 10 of Regulation (EU) No 1025/2012, the Commission shall issue, without undue delay, standardisation requests covering all requirements set out in Section 2 of this Chapter and, as applicable, standardisation requests covering obligations set out in Chapter V, Sections 2 and 3, of this Regulation.
Show original text
The Commission must quickly issue standardisation requests that cover all requirements in Section 2 of this Chapter, as well as obligations in Chapter V, Sections 2 and 3 of this Regulation. These requests should also include deliverables related to reporting and documentation processes aimed at improving the resource performance of AI systems, such as reducing energy consumption and other resource use during their lifecycle, and promoting energy-efficient development of general-purpose AI models. The Commission will consult the Board and relevant stakeholders, including the advisory forum, when preparing these requests. When sending standardisation requests to European standardisation organisations, the Commission will specify that the standards must be clear and consistent, aligning with existing Union harmonisation legislation listed in Annex I. The goal is to ensure that high-risk AI systems or general-purpose AI models available in the Union meet the necessary requirements outlined in this Regulation. The Commission will also ask European standardisation organisations to demonstrate their efforts to achieve these objectives as per Article 24 of Regulation (EU) No 1025/2012. Participants in the standardisation process should aim to encourage investment and innovation in AI, enhance legal certainty, and boost the competitiveness and growth of the Union market. This will help strengthen global cooperation on standardisation while considering existing international AI standards that align with Union values, fundamental rights, and interests. Additionally, it will promote multi-stakeholder governance to ensure balanced representation and effective participation of all relevant stakeholders, in accordance with Articles 5, 6, and 7 of Regulation (EU) No.
issue, without undue delay, standardisation requests covering all requirements set out in Section 2 of this Chapter and, as applicable, standardisation requests covering obligations set out in Chapter V, Sections 2 and 3, of this Regulation. The standardisation request shall also ask for deliverables on reporting and documentation processes to improve AI systems’ resource performance, such as reducing the high-risk AI system’s consumption of energy and of other resources during its lifecycle, and on the energy-efficient development of general-purpose AI models. When preparing a standardisation request, the Commission shall consult the Board and relevant stakeholders, including the advisory forum. When issuing a standardisation request to European standardisation organisations, the Commission shall specify that standards have to be clear, consistent, including with the standards developed in the various sectors for products covered by the existing Union harmonisation legislation listed in Annex I, and aiming to ensure that high-risk AI systems or general-purpose AI models placed on the market or put into service in the Union meet the relevant requirements or obligations laid down in this Regulation. The Commission shall request the European standardisation organisations to provide evidence of their best efforts to fulfil the objectives referred to in the first and the second subparagraph of this paragraph in accordance with Article 24 of Regulation (EU) No 1025/2012. 3. The participants in the standardisation process shall seek to promote investment and innovation in AI, including through increasing legal certainty, as well as the competitiveness and growth of the Union market, to contribute to strengthening global cooperation on standardisation and taking into account existing international standards in the field of AI that are consistent with Union values, fundamental rights and interests, and to enhance multi-stakeholder governance ensuring a balanced representation of interests and the effective participation of all relevant stakeholders in accordance with Articles 5, 6, and 7 of Regulation (EU) No
Show original text
The goal is to protect fundamental rights and interests while promoting multi-stakeholder governance. This ensures that all relevant parties are fairly represented and can participate effectively, as outlined in Articles 5, 6, and 7 of Regulation (EU) No 1025/2012. Article 41: Common Specifications 1. The Commission can create implementing acts that establish common specifications for the requirements in Section 2 of this Chapter or for the obligations in Sections 2 and 3 of Chapter V, under the following conditions: (a) The Commission has asked one or more European standardisation organisations to create a harmonised standard for the requirements in Section 2 or the obligations in Sections 2 and 3 of Chapter V, and: (i) The request was not accepted by any of the organisations; or (ii) The harmonised standards were not delivered by the deadline set by Article 10(1) of Regulation (EU) No 1025/2012; or (iii) The standards do not adequately address fundamental rights concerns; or (iv) The standards do not meet the request; and (b) There has been no published reference to harmonised standards for the requirements in Section 2 or the obligations in Sections 2 and 3 of Chapter V in the Official Journal of the European Union, as per Regulation (EU) No 1025/2012.
fundamental rights and interests, and to enhance multi-stakeholder governance ensuring a balanced representation of interests and the effective participation of all relevant stakeholders in accordance with Articles 5, 6, and 7 of Regulation (EU) No 1025/2012. Article 41 Common specifications 1. The Commission may adopt, implementing acts establishing common specifications for the requirements set out in Section 2 of this Chapter or, as applicable, for the obligations set out in Sections 2 and 3 of Chapter V where the following conditions have been fulfilled: (a) the Commission has requested, pursuant to Article 10(1) of Regulation (EU) No 1025/2012, one or more European standardisation organisations to draft a harmonised standard for the requirements set out in Section 2 of this Chapter, or, as applicable, for the obligations set out in Sections 2 and 3 of Chapter V, and: (i) the request has not been accepted by any of the European standardisation organisations; or EN OJ L, 12.7.2024 76/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (ii) the harmonised standards addressing that request are not delivered within the deadline set in accordance with Article 10(1) of Regulation (EU) No 1025/2012; or (iii) the relevant harmonised standards insufficiently address fundamental rights concerns; or (iv) the harmonised standards do not comply with the request; and (b) no reference to harmonised standards covering the requirements referred to in Section 2 of this Chapter or, as applicable, the obligations referred to in Sections 2 and 3 of Chapter V has been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012, and no such reference is
Show original text
The obligations mentioned in Sections 2 and 3 of Chapter V have been published in the Official Journal of the European Union as per Regulation (EU) No 1025/2012, and no new references are expected to be published soon. When creating common specifications, the Commission will consult the advisory forum mentioned in Article 67. The implementing acts will be adopted following the examination procedure outlined in Article 98(2). Before drafting an implementing act, the Commission must inform the committee referenced in Article 22 of Regulation (EU) No 1025/2012 that it believes the conditions in paragraph 1 are met. High-risk AI systems or general-purpose AI models that meet the common specifications in paragraph 1 will be assumed to comply with the requirements in Section 2 of this Chapter or the obligations in Sections 2 and 3 of Chapter V, as long as those specifications cover those requirements or obligations. If a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for publication in the Official Journal of the European Union, the Commission will evaluate it according to Regulation (EU) No 1025/2012. Once a harmonised standard is published, the Commission will repeal the implementing acts mentioned in paragraph 1, or the parts that cover the same requirements in Section 2 or the same obligations in Sections 2 and 3 of Chapter V.
applicable, the obligations referred to in Sections 2 and 3 of Chapter V has been published in the Official Journal of the European Union in accordance with Regulation (EU) No 1025/2012, and no such reference is expected to be published within a reasonable period. When drafting the common specifications, the Commission shall consult the advisory forum referred to in Article 67. The implementing acts referred to in the first subparagraph of this paragraph shall be adopted in accordance with the examination procedure referred to in Article 98(2). 2. Before preparing a draft implementing act, the Commission shall inform the committee referred to in Article 22 of Regulation (EU) No 1025/2012 that it considers the conditions laid down in paragraph 1 of this Article to be fulfilled. 3. High-risk AI systems or general-purpose AI models which are in conformity with the common specifications referred to in paragraph 1, or parts of those specifications, shall be presumed to be in conformity with the requirements set out in Section 2 of this Chapter or, as applicable, to comply with the obligations referred to in Sections 2 and 3 of Chapter V, to the extent those common specifications cover those requirements or those obligations. 4. Where a harmonised standard is adopted by a European standardisation organisation and proposed to the Commission for the publication of its reference in the Official Journal of the European Union, the Commission shall assess the harmonised standard in accordance with Regulation (EU) No 1025/2012. When reference to a harmonised standard is published in the Official Journal of the European Union, the Commission shall repeal the implementing acts referred to in paragraph 1, or parts thereof which cover the same requirements set out in Section 2 of this Chapter or, as applicable, the same obligations set out in Sections 2 and 3 of Chapter V. 5.
Show original text
Providers of high-risk AI systems or general-purpose AI models must follow the common specifications mentioned in paragraph 1. If they do not comply, they must explain how their technical solutions meet the requirements in Section 2 of this Chapter or the obligations in Sections 2 and 3 of Chapter V at an equivalent level. If a Member State believes that a common specification does not fully meet the requirements in Section 2 or the obligations in Sections 2 and 3 of Chapter V, it must inform the Commission with a detailed explanation. The Commission will review this information and may update the implementing act for the common specification if necessary. Article 42 states that high-risk AI systems trained and tested on data relevant to their intended use are presumed to meet the requirements in Article 10(4). Additionally, high-risk AI systems that have been certified under a cybersecurity scheme (as per Regulation (EU) 2019/881) and published in the Official Journal of the European Union are presumed to meet the cybersecurity requirements in Article 15, as long as the certification covers those requirements.
acts referred to in paragraph 1, or parts thereof which cover the same requirements set out in Section 2 of this Chapter or, as applicable, the same obligations set out in Sections 2 and 3 of Chapter V. 5. Where providers of high-risk AI systems or general-purpose AI models do not comply with the common specifications referred to in paragraph 1, they shall duly justify that they have adopted technical solutions that meet the requirements referred to in Section 2 of this Chapter or, as applicable, comply with the obligations set out in Sections 2 and 3 of Chapter V to a level at least equivalent thereto. 6. Where a Member State considers that a common specification does not entirely meet the requirements set out in Section 2 or, as applicable, comply with obligations set out in Sections 2 and 3 of Chapter V, it shall inform the Commission thereof with a detailed explanation. The Commission shall assess that information and, if appropriate, amend the implementing act establishing the common specification concerned. Article 42 Presumption of conformity with certain requirements 1. High-risk AI systems that have been trained and tested on data reflecting the specific geographical, behavioural, contextual or functional setting within which they are intended to be used shall be presumed to comply with the relevant requirements laid down in Article 10(4). 2. High-risk AI systems that have been certified or for which a statement of conformity has been issued under a cybersecurity scheme pursuant to Regulation (EU) 2019/881 and the references of which have been published in the Official Journal of the European Union shall be presumed to comply with the cybersecurity requirements set out in Article 15 of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover those requirements. OJ L, 12.7.
Show original text
The European Union is assumed to meet the cybersecurity requirements in Article 15 of this Regulation if the cybersecurity certificate or conformity statement covers those requirements. According to Article 43 on conformity assessment: 1. For high-risk AI systems listed in Annex III, providers must demonstrate compliance with Section 2 requirements by using either: (a) internal controls as described in Annex VI, or (b) an assessment of their quality management system and technical documentation with the help of a notified body, as outlined in Annex VII. Providers must follow the Annex VII conformity assessment procedure if: (a) there are no harmonised standards from Article 40 or common specifications from Article 41 available; (b) they have not used or have only partially used the harmonised standards; (c) common specifications exist but were not applied; (d) any harmonised standards have restrictions, and only parts of those standards are applicable. For the Annex VII conformity assessment, providers can select any notified body.
the European Union shall be presumed to comply with the cybersecurity requirements set out in Article 15 of this Regulation in so far as the cybersecurity certificate or statement of conformity or parts thereof cover those requirements. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 77/144 Article 43 Conformity assessment 1. For high-risk AI systems listed in point 1 of Annex III, where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Section 2, the provider has applied harmonised standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41, the provider shall opt for one of the following conformity assessment procedures based on: (a) the internal control referred to in Annex VI; or (b) the assessment of the quality management system and the assessment of the technical documentation, with the involvement of a notified body, referred to in Annex VII. In demonstrating the compliance of a high-risk AI system with the requirements set out in Section 2, the provider shall follow the conformity assessment procedure set out in Annex VII where: (a) harmonised standards referred to in Article 40 do not exist, and common specifications referred to in Article 41 are not available; (b) the provider has not applied, or has applied only part of, the harmonised standard; (c) the common specifications referred to in point (a) exist, but the provider has not applied them; (d) one or more of the harmonised standards referred to in point (a) has been published with a restriction, and only on the part of the standard that was restricted. For the purposes of the conformity assessment procedure referred to in Annex VII, the provider may choose any of the notified bodies.
Show original text
Point (a) has been published with a restriction, specifically regarding the part of the standard that is restricted. For the conformity assessment procedure mentioned in Annex VII, the provider can choose any notified body. However, if the high-risk AI system is to be used by law enforcement, immigration, or asylum authorities, or by Union institutions, the market surveillance authority mentioned in Article 74(8) or (9) will act as the notified body. For high-risk AI systems listed in points 2 to 8 of Annex III, providers must follow the conformity assessment procedure based on internal control outlined in Annex VI, which does not involve a notified body. For high-risk AI systems that fall under the Union harmonisation legislation in Section A of Annex I, providers must adhere to the relevant conformity assessment procedures required by those laws. The requirements in Section 2 of this Chapter will apply to these high-risk AI systems and will be included in the assessment. Additionally, points 4.3, 4.4, 4.5, and the fifth paragraph of point 4.6 in Annex VII will also apply. Notified bodies that have been approved under these legal acts can assess the conformity of high-risk AI systems with the requirements in Section 2, provided that their compliance with the requirements in Article 31(4), (5), (10), and (11) has been evaluated during the notification process under those legal acts.
point (a) has been published with a restriction, and only on the part of the standard that was restricted. For the purposes of the conformity assessment procedure referred to in Annex VII, the provider may choose any of the notified bodies. However, where the high-risk AI system is intended to be put into service by law enforcement, immigration or asylum authorities or by Union institutions, bodies, offices or agencies, the market surveillance authority referred to in Article 74(8) or (9), as applicable, shall act as a notified body. 2. For high-risk AI systems referred to in points 2 to 8 of Annex III, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body. 3. For high-risk AI systems covered by the Union harmonisation legislation listed in Section A of Annex I, the provider shall follow the relevant conformity assessment procedure as required under those legal acts. The requirements set out in Section 2 of this Chapter shall apply to those high-risk AI systems and shall be part of that assessment. Points 4.3., 4.4., 4.5. and the fifth paragraph of point 4.6 of Annex VII shall also apply. For the purposes of that assessment, notified bodies which have been notified under those legal acts shall be entitled to control the conformity of the high-risk AI systems with the requirements set out in Section 2, provided that the compliance of those notified bodies with requirements laid down in Article 31(4), (5), (10) and (11) has been assessed in the context of the notification procedure under those legal acts.
Show original text
Section 2 states that the compliance of notified bodies with the requirements in Article 31(4), (5), (10), and (11) has been evaluated during the notification process under those legal acts. If a legal act listed in Section A of Annex I allows a product manufacturer to skip third-party conformity assessment, the manufacturer can only do so if they have followed all relevant harmonised standards. Additionally, they must also apply the harmonised standards or common specifications mentioned in Article 41 that cover all requirements in Section 2 of this Chapter. High-risk AI systems that have already undergone a conformity assessment must go through a new assessment if they are significantly modified, regardless of whether the modified system will be distributed further or will continue to be used by the current user. For high-risk AI systems that learn after being released, any changes to the system and its performance that were predetermined by the provider during the initial assessment and included in the technical documentation (as per point 2(f) of Annex IV) will not be considered a substantial modification. The Commission has the authority to adopt delegated acts under Article 97 to update Annexes VI and VII based on technical advancements.
Section 2, provided that the compliance of those notified bodies with requirements laid down in Article 31(4), (5), (10) and (11) has been assessed in the context of the notification procedure under those legal acts. Where a legal act listed in Section A of Annex I enables the product manufacturer to opt out from a third-party conformity assessment, provided that that manufacturer has applied all harmonised standards covering all the relevant requirements, that manufacturer may use that option only if it has also applied harmonised standards or, where applicable, common specifications referred to in Article 41, covering all requirements set out in Section 2 of this Chapter. 4. High-risk AI systems that have already been subject to a conformity assessment procedure shall undergo a new conformity assessment procedure in the event of a substantial modification, regardless of whether the modified system is intended to be further distributed or continues to be used by the current deployer. For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification. 5. The Commission is empowered to adopt delegated acts in accordance with Article 97 in order to amend Annexes VI and VII by updating them in light of technical progress. EN OJ L, 12.7.2024 78/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 6.
Show original text
The Commission can create delegated acts to update paragraphs 1 and 2 of this Article, specifically to require high-risk AI systems (as listed in points 2 to 8 of Annex III) to follow the conformity assessment procedure outlined in Annex VII. When doing this, the Commission will consider how effective the internal control conformity assessment procedure (mentioned in Annex VI) is at reducing health and safety risks and protecting fundamental rights, as well as whether there are enough resources among notified bodies to handle this. Article 44: Certificates 1. Certificates issued by notified bodies, as per Annex VII, must be in a language that is easily understood by the relevant authorities in the Member State where the notified body is located. 2. Certificates are valid for a specified period: up to five years for AI systems in Annex I and up to four years for those in Annex III. Providers can request an extension of the certificate's validity for additional periods (not exceeding five years for Annex I and four years for Annex III) after a re-assessment according to the relevant conformity assessment procedures. Any supplement to a certificate remains valid as long as the original certificate is valid.
by updating them in light of technical progress. EN OJ L, 12.7.2024 78/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 6. The Commission is empowered to adopt delegated acts in accordance with Article 97 in order to amend paragraphs 1 and 2 of this Article in order to subject high-risk AI systems referred to in points 2 to 8 of Annex III to the conformity assessment procedure referred to in Annex VII or parts thereof. The Commission shall adopt such delegated acts taking into account the effectiveness of the conformity assessment procedure based on internal control referred to in Annex VI in preventing or minimising the risks to health and safety and protection of fundamental rights posed by such systems, as well as the availability of adequate capacities and resources among notified bodies. Article 44 Certificates 1. Certificates issued by notified bodies in accordance with Annex VII shall be drawn-up in a language which can be easily understood by the relevant authorities in the Member State in which the notified body is established. 2. Certificates shall be valid for the period they indicate, which shall not exceed five years for AI systems covered by Annex I, and four years for AI systems covered by Annex III. At the request of the provider, the validity of a certificate may be extended for further periods, each not exceeding five years for AI systems covered by Annex I, and four years for AI systems covered by Annex III, based on a re-assessment in accordance with the applicable conformity assessment procedures. Any supplement to a certificate shall remain valid, provided that the certificate which it supplements is valid. 3.
Show original text
AI systems covered by Annex III will have a validity period of four years, subject to re-assessment based on the relevant conformity assessment procedures. Any supplement to a certificate remains valid as long as the original certificate is valid. If a notified body determines that an AI system no longer meets the requirements outlined in Section 2, it may suspend or withdraw the certificate or impose restrictions. This action will consider proportionality unless the system provider takes appropriate corrective action within a deadline set by the notified body. The notified body must provide reasons for its decision. There is an appeal process available for decisions made by notified bodies, including those related to conformity certificates. Article 45 outlines the information obligations of notified bodies: 1. Notified bodies must inform the notifying authority about: (a) any Union technical documentation assessment certificates, supplements, and quality management system approvals issued under Annex VII; (b) any refusals, restrictions, suspensions, or withdrawals of these certificates or approvals; (c) any changes affecting the scope or conditions of notification; (d) any requests for information from market surveillance authorities regarding conformity assessment activities; (e) upon request, details of conformity assessment activities and other related activities, including cross-border and subcontracting work. 2. Each notified body must inform other notified bodies about: (a) quality management system approvals it has refused, suspended, or withdrawn, and provide approvals it has issued upon request; (b) Union technical documentation assessment certificates or supplements it has refused, withdrawn, suspended, or restricted, and provide details of issued certificates or supplements upon request.
and four years for AI systems covered by Annex III, based on a re-assessment in accordance with the applicable conformity assessment procedures. Any supplement to a certificate shall remain valid, provided that the certificate which it supplements is valid. 3. Where a notified body finds that an AI system no longer meets the requirements set out in Section 2, it shall, taking account of the principle of proportionality, suspend or withdraw the certificate issued or impose restrictions on it, unless compliance with those requirements is ensured by appropriate corrective action taken by the provider of the system within an appropriate deadline set by the notified body. The notified body shall give reasons for its decision. An appeal procedure against decisions of the notified bodies, including on conformity certificates issued, shall be available. Article 45 Information obligations of notified bodies 1. Notified bodies shall inform the notifying authority of the following: (a) any Union technical documentation assessment certificates, any supplements to those certificates, and any quality management system approvals issued in accordance with the requirements of Annex VII; (b) any refusal, restriction, suspension or withdrawal of a Union technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII; (c) any circumstances affecting the scope of or conditions for notification; (d) any request for information which they have received from market surveillance authorities regarding conformity assessment activities; (e) on request, conformity assessment activities performed within the scope of their notification and any other activity performed, including cross-border activities and subcontracting. 2. Each notified body shall inform the other notified bodies of: (a) quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued; (b) Union technical documentation assessment certificates or any supplements thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, of the certificates and/or supplements thereto which it has issued.
Show original text
Notified bodies must share information about negative and, if requested, positive conformity assessment results with other notified bodies that assess similar AI systems. They must also keep this information confidential as per Article 78. Article 46 allows for exceptions to the conformity assessment procedure. A market surveillance authority can permit the sale or use of specific high-risk AI systems in their Member State for urgent reasons related to public security, health, environmental protection, or safeguarding critical infrastructure. This permission is temporary while the necessary assessments are completed quickly. In urgent situations where public security is at risk or there is a significant threat to people's safety, law enforcement or civil protection authorities can use a high-risk AI system without prior authorization, as long as they request the authorization promptly afterward.
approvals which it has issued; (b) Union technical documentation assessment certificates or any supplements thereto which it has refused, withdrawn, suspended or otherwise restricted, and, upon request, of the certificates and/or supplements thereto which it has issued. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 79/144 3. Each notified body shall provide the other notified bodies carrying out similar conformity assessment activities covering the same types of AI systems with relevant information on issues relating to negative and, on request, positive conformity assessment results. 4. Notified bodies shall safeguard the confidentiality of the information that they obtain, in accordance with Article 78. Article 46 Derogation from conformity assessment procedure 1. By way of derogation from Article 43 and upon a duly justified request, any market surveillance authority may authorise the placing on the market or the putting into service of specific high-risk AI systems within the territory of the Member State concerned, for exceptional reasons of public security or the protection of life and health of persons, environmental protection or the protection of key industrial and infrastructural assets. That authorisation shall be for a limited period while the necessary conformity assessment procedures are being carried out, taking into account the exceptional reasons justifying the derogation. The completion of those procedures shall be undertaken without undue delay. 2. In a duly justified situation of urgency for exceptional reasons of public security or in the case of specific, substantial and imminent threat to the life or physical safety of natural persons, law-enforcement authorities or civil protection authorities may put a specific high-risk AI system into service without the authorisation referred to in paragraph 1, provided that such authorisation is requested during or after the use without undue delay.
Show original text
Law enforcement or civil protection authorities can use a high-risk AI system without prior authorization, as long as they request the authorization during or shortly after its use. If the authorization is denied, they must stop using the AI system immediately and discard any results from its use. The authorization will only be granted if the market surveillance authority determines that the AI system meets the requirements outlined in Section 2. The market surveillance authority must inform the European Commission and other Member States about any authorizations issued, but this does not include sensitive operational data related to law enforcement activities. If no objections are raised by any Member State or the Commission within 15 days of receiving this information, the authorization is considered justified. If objections are raised by a Member State against another Member State's authorization, or if the Commission believes the authorization violates EU law or that the compliance assessment is incorrect, the Commission will consult with the relevant Member State. The operators of the AI system will also be consulted and can share their views. Based on these discussions, the Commission will decide if the authorization is justified.
persons, law-enforcement authorities or civil protection authorities may put a specific high-risk AI system into service without the authorisation referred to in paragraph 1, provided that such authorisation is requested during or after the use without undue delay. If the authorisation referred to in paragraph 1 is refused, the use of the high-risk AI system shall be stopped with immediate effect and all the results and outputs of such use shall be immediately discarded. 3. The authorisation referred to in paragraph 1 shall be issued only if the market surveillance authority concludes that the high-risk AI system complies with the requirements of Section 2. The market surveillance authority shall inform the Commission and the other Member States of any authorisation issued pursuant to paragraphs 1 and 2. This obligation shall not cover sensitive operational data in relation to the activities of law-enforcement authorities. 4. Where, within 15 calendar days of receipt of the information referred to in paragraph 3, no objection has been raised by either a Member State or the Commission in respect of an authorisation issued by a market surveillance authority of a Member State in accordance with paragraph 1, that authorisation shall be deemed justified. 5. Where, within 15 calendar days of receipt of the notification referred to in paragraph 3, objections are raised by a Member State against an authorisation issued by a market surveillance authority of another Member State, or where the Commission considers the authorisation to be contrary to Union law, or the conclusion of the Member States regarding the compliance of the system as referred to in paragraph 3 to be unfounded, the Commission shall, without delay, enter into consultations with the relevant Member State. The operators concerned shall be consulted and have the possibility to present their views. Having regard thereto, the Commission shall decide whether the authorisation is justified.
Show original text
The Commission will quickly start discussions with the relevant Member State. The affected operators will also be consulted and can share their opinions. Based on this input, the Commission will decide if the authorization is warranted. The decision will be communicated to the Member State and the relevant operators. If the Commission finds the authorization unjustified, the market surveillance authority of the Member State will revoke it. For high-risk AI systems related to products under EU harmonization laws listed in Section A of Annex I, only the exceptions from the conformity assessment in those laws will apply. Article 47: EU Declaration of Conformity 1. The provider must create a written, machine-readable, and electronically signed EU declaration of conformity for each high-risk AI system. This document must be kept available for national authorities for 10 years after the system is marketed or put into service. It should clearly identify the high-risk AI system. A copy must be provided to the relevant national authorities if requested. 2. The EU declaration of conformity must confirm that the high-risk AI system meets the requirements outlined in Section 2. It should include the information specified in Annex V and be translated into a language easily understood by the national authorities of the Member States where the system is marketed or available.
the Commission shall, without delay, enter into consultations with the relevant Member State. The operators concerned shall be consulted and have the possibility to present their views. Having regard thereto, the Commission shall decide whether the authorisation is justified. The Commission shall address its decision to the Member State concerned and to the relevant operators. 6. Where the Commission considers the authorisation unjustified, it shall be withdrawn by the market surveillance authority of the Member State concerned. 7. For high-risk AI systems related to products covered by Union harmonisation legislation listed in Section A of Annex I, only the derogations from the conformity assessment established in that Union harmonisation legislation shall apply. Article 47 EU declaration of conformity 1. The provider shall draw up a written machine readable, physical or electronically signed EU declaration of conformity for each high-risk AI system, and keep it at the disposal of the national competent authorities for 10 years after the high-risk AI system has been placed on the market or put into service. The EU declaration of conformity shall identify the high-risk AI system for which it has been drawn up. A copy of the EU declaration of conformity shall be submitted to the relevant national competent authorities upon request. EN OJ L, 12.7.2024 80/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 2. The EU declaration of conformity shall state that the high-risk AI system concerned meets the requirements set out in Section 2. The EU declaration of conformity shall contain the information set out in Annex V, and shall be translated into a language that can be easily understood by the national competent authorities of the Member States in which the high-risk AI system is placed on the market or made available. 3.
Show original text
The information in Annex V must be translated into a language that national authorities in Member States can easily understand when high-risk AI systems are marketed or made available. If high-risk AI systems are also covered by other EU regulations that require a declaration of conformity, a single EU declaration will be created that addresses all relevant EU laws for that system. This declaration must include all necessary information to identify the applicable EU regulations. By creating this EU declaration, the provider takes responsibility for ensuring compliance with the requirements in Section 2 and must keep the declaration updated as needed. The Commission has the authority to make changes to Annex V, including updating the EU declaration content, to reflect necessary updates due to technical advancements. Regarding CE marking: 1. The CE marking must follow the general principles outlined in Article 30 of Regulation (EC) No 765/2008. 2. For high-risk AI systems offered digitally, a digital CE marking should be used, accessible through the system's interface or via a machine-readable code or other electronic means. 3. The CE marking must be clearly visible, legible, and permanent on high-risk AI systems. If this is not feasible due to the system's nature, it should be placed on the packaging or accompanying documentation as appropriate.
contain the information set out in Annex V, and shall be translated into a language that can be easily understood by the national competent authorities of the Member States in which the high-risk AI system is placed on the market or made available. 3. Where high-risk AI systems are subject to other Union harmonisation legislation which also requires an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all Union law applicable to the high-risk AI system. The declaration shall contain all the information required to identify the Union harmonisation legislation to which the declaration relates. 4. By drawing up the EU declaration of conformity, the provider shall assume responsibility for compliance with the requirements set out in Section 2. The provider shall keep the EU declaration of conformity up-to-date as appropriate. 5. The Commission is empowered to adopt delegated acts in accordance with Article 97 in order to amend Annex V by updating the content of the EU declaration of conformity set out in that Annex, in order to introduce elements that become necessary in light of technical progress. Article 48 CE marking 1. The CE marking shall be subject to the general principles set out in Article 30 of Regulation (EC) No 765/2008. 2. For high-risk AI systems provided digitally, a digital CE marking shall be used, only if it can easily be accessed via the interface from which that system is accessed or via an easily accessible machine-readable code or other electronic means. 3. The CE marking shall be affixed visibly, legibly and indelibly for high-risk AI systems. Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate. 4.
Show original text
For high-risk AI systems, if it's not possible to label them directly, the necessary information must be placed on the packaging or accompanying documents. The CE marking must include the identification number of the notified body that conducted the conformity assessment, as outlined in Article 43. This number can be added by the notified body itself or by the provider or their authorized representative under the body's instructions. Additionally, this identification number should be included in any promotional materials that state the high-risk AI system meets CE marking requirements. If high-risk AI systems are also governed by other EU laws that require CE marking, the marking will indicate compliance with those laws as well. Article 49: Registration 1. Before selling or using a high-risk AI system listed in Annex III (except for those mentioned in point 2 of Annex III), the provider or their authorized representative must register themselves and the system in the EU database mentioned in Article 71. 2. If a provider determines that their AI system is not high-risk according to Article 6(3), they or their authorized representative must still register themselves and the system in the EU database mentioned in Article 71.
ibly for high-risk AI systems. Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate. 4. Where applicable, the CE marking shall be followed by the identification number of the notified body responsible for the conformity assessment procedures set out in Article 43. The identification number of the notified body shall be affixed by the body itself or, under its instructions, by the provider or by the provider’s authorised representative. The identification number shall also be indicated in any promotional material which mentions that the high-risk AI system fulfils the requirements for CE marking. 5. Where high-risk AI systems are subject to other Union law which also provides for the affixing of the CE marking, the CE marking shall indicate that the high-risk AI system also fulfil the requirements of that other law. Article 49 Registration 1. Before placing on the market or putting into service a high-risk AI system listed in Annex III, with the exception of high-risk AI systems referred to in point 2 of Annex III, the provider or, where applicable, the authorised representative shall register themselves and their system in the EU database referred to in Article 71. 2. Before placing on the market or putting into service an AI system for which the provider has concluded that it is not high-risk according to Article 6(3), that provider or, where applicable, the authorised representative shall register themselves and that system in the EU database referred to in Article 71. 3.
Show original text
The provider has determined that it is not classified as high-risk under Article 6(3). Therefore, the provider or their authorized representative must register themselves and the system in the EU database mentioned in Article 71. Before using or deploying a high-risk AI system listed in Annex III (except for those specified in point 2 of Annex III), public authorities, EU institutions, and individuals acting on their behalf must register themselves, select the system, and log its use in the EU database referenced in Article 71. For high-risk AI systems mentioned in points 1, 6, and 7 of Annex III, which pertain to law enforcement, migration, asylum, and border control, the registration must occur in a secure, non-public section of the EU database. This registration will only include specific information as outlined in: (a) Section A, points 1 to 10 of Annex VIII, excluding points 6, 8, and 9; (b) Section B, points 1 to 5, and points 8 and 9 of Annex VIII; (c) Section C, points 1 to 3 of Annex VIII; (d) points 1, 2, 3, and 5 of Annex IX. Only the European Commission and the national authorities specified in Article 74(8) will have access to these restricted sections of the EU database.
provider has concluded that it is not high-risk according to Article 6(3), that provider or, where applicable, the authorised representative shall register themselves and that system in the EU database referred to in Article 71. 3. Before putting into service or using a high-risk AI system listed in Annex III, with the exception of high-risk AI systems listed in point 2 of Annex III, deployers that are public authorities, Union institutions, bodies, offices or agencies or persons acting on their behalf shall register themselves, select the system and register its use in the EU database referred to in Article 71. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 81/144 4. For high-risk AI systems referred to in points 1, 6 and 7 of Annex III, in the areas of law enforcement, migration, asylum and border control management, the registration referred to in paragraphs 1, 2 and 3 of this Article shall be in a secure non-public section of the EU database referred to in Article 71 and shall include only the following information, as applicable, referred to in: (a) Section A, points 1 to 10, of Annex VIII, with the exception of points 6, 8 and 9; (b) Section B, points 1 to 5, and points 8 and 9 of Annex VIII; (c) Section C, points 1 to 3, of Annex VIII; (d) points 1, 2, 3 and 5, of Annex IX. Only the Commission and national authorities referred to in Article 74(8) shall have access to the respective restricted sections of the EU database listed in the first subparagraph of this paragraph. 5.
Show original text
Only the Commission and specific national authorities mentioned in Article 74(8) can access the restricted sections of the EU database outlined in Annex IX. High-risk AI systems, as described in point 2 of Annex III, must be registered at the national level. CHAPTER IV TRANSPARENCY OBLIGATIONS FOR PROVIDERS AND DEPLOYERS OF CERTAIN AI SYSTEMS Article 50 Transparency obligations for providers and deployers of certain AI systems 1. Providers must ensure that AI systems designed to interact directly with people inform them that they are engaging with an AI system, unless it is clear to a reasonably informed and observant person based on the context. This requirement does not apply to AI systems legally authorized to detect, prevent, investigate, or prosecute crimes, provided there are safeguards for the rights of others, unless these systems are available for public reporting of crimes. 2. Providers of AI systems, including those that create synthetic audio, images, videos, or text, must mark the outputs in a machine-readable format to indicate they are artificially generated or altered. Providers should ensure their technical solutions are effective, compatible, robust, and reliable, considering the specific characteristics and limitations of different content types, implementation costs, and the current state of technology as reflected in relevant technical standards.
, 3 and 5, of Annex IX. Only the Commission and national authorities referred to in Article 74(8) shall have access to the respective restricted sections of the EU database listed in the first subparagraph of this paragraph. 5. High-risk AI systems referred to in point 2 of Annex III shall be registered at national level. CHAPTER IV TRANSPARENCY OBLIGATIONS FOR PROVIDERS AND DEPLOYERS OF CERTAIN AI SYSTEMS Article 50 Transparency obligations for providers and deployers of certain AI systems 1. Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect, taking into account the circumstances and the context of use. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate or prosecute criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, unless those systems are available for the public to report a criminal offence. 2. Providers of AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content, shall ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated. Providers shall ensure their technical solutions are effective, interoperable, robust and reliable as far as this is technically feasible, taking into account the specificities and limitations of various types of content, the costs of implementation and the generally acknowledged state of the art, as may be reflected in relevant technical standards.
Show original text
AI systems should be reliable based on what is technically possible, considering the unique features and limitations of different types of content, the costs involved, and current technical standards. This requirement does not apply if the AI systems are only assisting with standard editing, do not significantly change the input data, or are legally authorized to help detect, prevent, investigate, or prosecute crimes. Deployers of emotion recognition or biometric categorization systems must inform individuals about how these systems work and handle personal data according to EU regulations (Regulations (EU) 2016/679, (EU) 2018/1725, and Directive (EU) 2016/680). However, this requirement does not apply to systems used for crime-related purposes, as long as there are safeguards for the rights of others and compliance with EU law. Deployers of AI systems that create or alter images, audio, or video to produce deep fakes must reveal that the content has been artificially created or modified. This requirement does not apply if the content is used legally for crime-related purposes. If the content is part of artistic, creative, satirical, fictional, or similar works, the obligation to disclose is limited to informing about the existence of such content in a way that does not interfere with the enjoyment of the work.
reliable as far as this is technically feasible, taking into account the specificities and limitations of various types of content, the costs of implementation and the generally acknowledged state of the art, as may be reflected in relevant technical standards. This obligation shall not apply to the extent the AI systems perform an assistive function for standard editing or do not substantially alter the input data provided by the deployer or the semantics thereof, or where authorised by law to detect, prevent, investigate or prosecute criminal offences. 3. Deployers of an emotion recognition system or a biometric categorisation system shall inform the natural persons exposed thereto of the operation of the system, and shall process the personal data in accordance with Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680, as applicable. This obligation shall not apply to AI systems used for biometric categorisation and emotion recognition, which are permitted by law to detect, prevent or investigate criminal offences, subject to appropriate safeguards for the rights and freedoms of third parties, and in accordance with Union law. 4. Deployers of an AI system that generates or manipulates image, audio or video content constituting a deep fake, shall disclose that the content has been artificially generated or manipulated. This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offence. Where the content forms part of an evidently artistic, creative, satirical, fictional or analogous work or programme, the transparency obligations set out in this paragraph are limited to disclosure of the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work.
Show original text
If a work or program is satirical, fictional, or similar, the rules about transparency only require that the existence of any AI-generated or manipulated content is disclosed in a way that does not interfere with the enjoyment of the work. Those who use an AI system to create or alter text intended to inform the public must clearly state that the text is AI-generated or manipulated. This requirement does not apply if the use is legally authorized for detecting, preventing, investigating, or prosecuting crimes, or if the AI-generated content has been reviewed or edited by a human who is responsible for the publication. The information mentioned must be provided to individuals in a clear and noticeable way at the time of their first interaction with the content, and it must meet accessibility standards. These rules do not change any existing requirements in Chapter III or other transparency laws at the Union or national level for AI system users. The AI Office will promote and support the creation of codes of practice at the Union level to help implement the rules for detecting and labeling AI-generated or manipulated content. The Commission may approve these codes of practice through specific procedures.
satirical, fictional or analogous work or programme, the transparency obligations set out in this paragraph are limited to disclosure of the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work. Deployers of an AI system that generates or manipulates text which is published with the purpose of informing the public on matters of public interest shall disclose that the text has been artificially generated or manipulated. This obligation shall not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offences or where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content. EN OJ L, 12.7.2024 82/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 5. The information referred to in paragraphs 1 to 4 shall be provided to the natural persons concerned in a clear and distinguishable manner at the latest at the time of the first interaction or exposure. The information shall conform to the applicable accessibility requirements. 6. Paragraphs 1 to 4 shall not affect the requirements and obligations set out in Chapter III, and shall be without prejudice to other transparency obligations laid down in Union or national law for deployers of AI systems. 7. The AI Office shall encourage and facilitate the drawing up of codes of practice at Union level to facilitate the effective implementation of the obligations regarding the detection and labelling of artificially generated or manipulated content. The Commission may adopt implementing acts to approve those codes of practice in accordance with the procedure laid down in Article 56 (6).
Show original text
To ensure that the rules for detecting and labeling artificially generated or manipulated content are effectively followed, the Commission can approve codes of practice through implementing acts as outlined in Article 56 (6). If the Commission finds a code inadequate, it can create an implementing act that sets common rules for these obligations, following the examination process in Article 98(2). CHAPTER V GENERAL-PURPOSE AI MODELS SECTION 1 Classification Rules Article 51 Classification of General-Purpose AI Models with Systemic Risk 1. A general-purpose AI model will be classified as having systemic risk if it meets any of the following criteria: (a) It has high impact capabilities assessed using appropriate technical tools and methods, including specific indicators and benchmarks. (b) The Commission, either on its own or after a qualified alert from the scientific panel, determines that the model has capabilities or impacts similar to those in point (a), based on the criteria in Annex XIII. 2. A general-purpose AI model is presumed to have high impact capabilities if the total computation used for its training exceeds 10^25 floating point operations. 3. The Commission will issue delegated acts according to Article 97 to update the thresholds in paragraphs 1 and 2, and to add benchmarks and indicators as technology evolves, ensuring these thresholds remain current with advancements in algorithms or hardware efficiency. Article 52 Procedure 1.
to facilitate the effective implementation of the obligations regarding the detection and labelling of artificially generated or manipulated content. The Commission may adopt implementing acts to approve those codes of practice in accordance with the procedure laid down in Article 56 (6). If it deems the code is not adequate, the Commission may adopt an implementing act specifying common rules for the implementation of those obligations in accordance with the examination procedure laid down in Article 98(2). CHAPTER V GENERAL-PURPOSE AI MODELS SECTION 1 Classification rules Article 51 Classification of general-purpose AI models as general-purpose AI models with systemic risk 1. A general-purpose AI model shall be classified as a general-purpose AI model with systemic risk if it meets any of the following conditions: (a) it has high impact capabilities evaluated on the basis of appropriate technical tools and methodologies, including indicators and benchmarks; (b) based on a decision of the Commission, ex officio or following a qualified alert from the scientific panel, it has capabilities or an impact equivalent to those set out in point (a) having regard to the criteria set out in Annex XIII. 2. A general-purpose AI model shall be presumed to have high impact capabilities pursuant to paragraph 1, point (a), when the cumulative amount of computation used for its training measured in floating point operations is greater than 1025. 3. The Commission shall adopt delegated acts in accordance with Article 97 to amend the thresholds listed in paragraphs 1 and 2 of this Article, as well as to supplement benchmarks and indicators in light of evolving technological developments, such as algorithmic improvements or increased hardware efficiency, when necessary, for these thresholds to reflect the state of the art. Article 52 Procedure 1.
Show original text
To keep up with advancements in technology, such as better algorithms or more efficient hardware, benchmarks and indicators may be updated as needed to reflect the latest standards. Article 52 Procedure 1. If a general-purpose AI model meets the criteria outlined in Article 51(1)(a), the provider must inform the Commission immediately, and no later than two weeks after the requirement is met or becomes known. This notification must include the necessary information to prove that the requirement has been satisfied. If the Commission learns about a general-purpose AI model that poses systemic risks and has not been reported, it can classify it as a model with systemic risk. 2. A provider of a general-purpose AI model that meets the criteria in Article 51(1)(a) can submit arguments with their notification to show that, despite meeting the requirement, the model does not pose systemic risks due to its specific features and should not be classified as such. 3. If the Commission finds that the arguments provided in paragraph 2 are not convincing and the provider fails to demonstrate that the model does not pose systemic risks, the arguments will be rejected, and the model will be classified as a general-purpose AI model with systemic risk.
as well as to supplement benchmarks and indicators in light of evolving technological developments, such as algorithmic improvements or increased hardware efficiency, when necessary, for these thresholds to reflect the state of the art. Article 52 Procedure 1. Where a general-purpose AI model meets the condition referred to in Article 51(1), point (a), the relevant provider shall notify the Commission without delay and in any event within two weeks after that requirement is met or it becomes known that it will be met. That notification shall include the information necessary to demonstrate that the relevant requirement has been met. If the Commission becomes aware of a general-purpose AI model presenting systemic risks of which it has not been notified, it may decide to designate it as a model with systemic risk. 2. The provider of a general-purpose AI model that meets the condition referred to in Article 51(1), point (a), may present, with its notification, sufficiently substantiated arguments to demonstrate that, exceptionally, although it meets that requirement, the general-purpose AI model does not present, due to its specific characteristics, systemic risks and therefore should not be classified as a general-purpose AI model with systemic risk. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 83/144 3. Where the Commission concludes that the arguments submitted pursuant to paragraph 2 are not sufficiently substantiated and the relevant provider was not able to demonstrate that the general-purpose AI model does not present, due to its specific characteristics, systemic risks, it shall reject those arguments, and the general-purpose AI model shall be considered to be a general-purpose AI model with systemic risk. 4.
Show original text
The general-purpose AI model will be considered to have systemic risks if it does not meet specific criteria. The Commission can identify a general-purpose AI model as having systemic risks either on its own or after receiving a qualified alert from the scientific panel, based on criteria outlined in Annex XIII. The Commission has the authority to update these criteria through delegated acts as per Article 97. If a provider believes their model has been wrongly designated as having systemic risks, they can request a reassessment. This request must include new, objective reasons that have emerged since the designation. Providers can only request a reassessment six months after the initial designation or after a previous reassessment. The Commission will maintain and regularly update a public list of general-purpose AI models identified as having systemic risks, while also protecting intellectual property rights and confidential business information.
that the general-purpose AI model does not present, due to its specific characteristics, systemic risks, it shall reject those arguments, and the general-purpose AI model shall be considered to be a general-purpose AI model with systemic risk. 4. The Commission may designate a general-purpose AI model as presenting systemic risks, ex officio or following a qualified alert from the scientific panel pursuant to Article 90(1), point (a), on the basis of criteria set out in Annex XIII. The Commission is empowered to adopt delegated acts in accordance with Article 97 in order to amend Annex XIII by specifying and updating the criteria set out in that Annex. 5. Upon a reasoned request of a provider whose model has been designated as a general-purpose AI model with systemic risk pursuant to paragraph 4, the Commission shall take the request into account and may decide to reassess whether the general-purpose AI model can still be considered to present systemic risks on the basis of the criteria set out in Annex XIII. Such a request shall contain objective, detailed and new reasons that have arisen since the designation decision. Providers may request reassessment at the earliest six months after the designation decision. Where the Commission, following its reassessment, decides to maintain the designation as a general-purpose AI model with systemic risk, providers may request reassessment at the earliest six months after that decision. 6. The Commission shall ensure that a list of general-purpose AI models with systemic risk is published and shall keep that list up to date, without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law. SECTION 2 Obligations for providers of general-purpose AI models Article 53 Obligations for providers of general-purpose AI models 1.
Show original text
Providers of general-purpose AI models must follow specific obligations: 1. They need to create and maintain up-to-date technical documentation about their model, including details on its training, testing processes, and evaluation results. This documentation should meet the requirements outlined in Annex XI and be available to the AI Office and national authorities upon request. 2. They must also prepare and share information and documentation with AI system providers who want to use their general-purpose AI model. This information should help these providers understand the model's capabilities and limitations, while respecting intellectual property rights and trade secrets as per Union and national laws. The documentation must include at least the elements listed in Annex XII. 3. They are required to implement a policy that complies with Union copyright laws, ensuring they recognize and adhere to any rights reserved under Article 4(3) of Directive (EU) 2019/790. 4. Finally, they must publicly share a detailed summary of the content used to train the general-purpose AI model, following a template provided by the AI Office.
and confidential business information or trade secrets in accordance with Union and national law. SECTION 2 Obligations for providers of general-purpose AI models Article 53 Obligations for providers of general-purpose AI models 1. Providers of general-purpose AI models shall: (a) draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation, which shall contain, at a minimum, the information set out in Annex XI for the purpose of providing it, upon request, to the AI Office and the national competent authorities; (b) draw up, keep up-to-date and make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems. Without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and national law, the information and documentation shall: (i) enable providers of AI systems to have a good understanding of the capabilities and limitations of the general-purpose AI model and to comply with their obligations pursuant to this Regulation; and (ii) contain, at a minimum, the elements set out in Annex XII; (c) put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790; (d) draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office. EN OJ L, 12.7.2024 84/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 2.
Show original text
According to a template from the AI Office, the obligations mentioned in paragraph 1, points (a) and (b), do not apply to AI model providers who release their models under a free and open-source license. This license must allow public access, usage, modification, and distribution of the model, and the model's parameters, architecture, and usage information must be publicly available. However, this exception does not apply to general-purpose AI models that pose systemic risks. Providers of general-purpose AI models must cooperate with the Commission and national authorities as required by this regulation. They can use codes of practice, as defined in Article 56, to show compliance with the obligations in paragraph 1 until a standardized method is published. Following European harmonized standards will give providers a presumption of compliance if those standards cover the obligations. If providers do not follow an approved code of practice or a European standard, they must find alternative ways to demonstrate compliance for the Commission's assessment. To help with compliance with Annex XI, especially points 2 (d) and (e), the Commission can create delegated acts under Article 97 to specify measurement and calculation methods for consistent and verifiable documentation. Additionally, the Commission can amend Annexes XI and XII through delegated acts as technology evolves.
to a template provided by the AI Office. EN OJ L, 12.7.2024 84/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 2. The obligations set out in paragraph 1, points (a) and (b), shall not apply to providers of AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general-purpose AI models with systemic risks. 3. Providers of general-purpose AI models shall cooperate as necessary with the Commission and the national competent authorities in the exercise of their competences and powers pursuant to this Regulation. 4. Providers of general-purpose AI models may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. 5. For the purpose of facilitating compliance with Annex XI, in particular points 2 (d) and (e) thereof, the Commission is empowered to adopt delegated acts in accordance with Article 97 to detail measurement and calculation methodologies with a view to allowing for comparable and verifiable documentation. 6. The Commission is empowered to adopt delegated acts in accordance with Article 97(2) to amend Annexes XI and XII in light of evolving technological developments. 7.
Show original text
The methodologies aim to ensure that documentation is comparable and verifiable. The Commission can adopt delegated acts under Article 97(2) to update Annexes XI and XII as technology evolves. Any information obtained under this Article, including trade secrets, will be kept confidential according to Article 78. Article 54 outlines the requirements for authorized representatives of providers of general-purpose AI models. Before a provider from a non-EU country can sell a general-purpose AI model in the EU, they must appoint an authorized representative based in the EU through a written mandate. The provider must allow the authorized representative to perform the tasks outlined in the mandate. The authorized representative must: (a) verify that the technical documentation in Annex XI is complete and that the provider has met all obligations in Article 53 and, if applicable, Article 55; (b) keep a copy of the technical documentation for 10 years after the AI model is sold, along with the provider's contact details; (c) provide the AI Office with necessary information and documentation upon request to show compliance; (d) cooperate with the AI Office and authorities in any actions related to the AI model upon request.
methodologies with a view to allowing for comparable and verifiable documentation. 6. The Commission is empowered to adopt delegated acts in accordance with Article 97(2) to amend Annexes XI and XII in light of evolving technological developments. 7. Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78. Article 54 Authorised representatives of providers of general-purpose AI models 1. Prior to placing a general-purpose AI model on the Union market, providers established in third countries shall, by written mandate, appoint an authorised representative which is established in the Union. 2. The provider shall enable its authorised representative to perform the tasks specified in the mandate received from the provider. 3. The authorised representative shall perform the tasks specified in the mandate received from the provider. It shall provide a copy of the mandate to the AI Office upon request, in one of the official languages of the institutions of the Union. For the purposes of this Regulation, the mandate shall empower the authorised representative to carry out the following tasks: (a) verify that the technical documentation specified in Annex XI has been drawn up and all obligations referred to in Article 53 and, where applicable, Article 55 have been fulfilled by the provider; (b) keep a copy of the technical documentation specified in Annex XI at the disposal of the AI Office and national competent authorities, for a period of 10 years after the general-purpose AI model has been placed on the market, and the contact details of the provider that appointed the authorised representative; (c) provide the AI Office, upon a reasoned request, with all the information and documentation, including that referred to in point (b), necessary to demonstrate compliance with the obligations in this Chapter; (d) cooperate with the AI Office and competent authorities, upon a reasoned request, in any action they take in relation to the general-purpose AI model
Show original text
Providers of general-purpose AI models must demonstrate compliance with the obligations outlined in this chapter. They are required to cooperate with the AI Office and relevant authorities if requested, especially regarding actions related to the AI model, including when it is used in AI systems sold or operated in the Union. The authorized representative can be contacted by the AI Office or authorities instead of the provider for any compliance issues related to this regulation. If the authorized representative believes the provider is not fulfilling its obligations, they must terminate their mandate and inform the AI Office immediately, explaining the reasons for the termination. However, this obligation does not apply to providers of general-purpose AI models that are released under a free and open-source license, allowing access, use, modification, and distribution of the model, as long as the model's parameters and architecture information are publicly available, unless these models pose systemic risks.
that referred to in point (b), necessary to demonstrate compliance with the obligations in this Chapter; (d) cooperate with the AI Office and competent authorities, upon a reasoned request, in any action they take in relation to the general-purpose AI model, including when the model is integrated into AI systems placed on the market or put into service in the Union. 4. The mandate shall empower the authorised representative to be addressed, in addition to or instead of the provider, by the AI Office or the competent authorities, on all issues related to ensuring compliance with this Regulation. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 85/144 5. The authorised representative shall terminate the mandate if it considers or has reason to consider the provider to be acting contrary to its obligations pursuant to this Regulation. In such a case, it shall also immediately inform the AI Office about the termination of the mandate and the reasons therefor. 6. The obligation set out in this Article shall not apply to providers of general-purpose AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available, unless the general-purpose AI models present systemic risks. SECTION 3 Obligations of providers of general-purpose AI models with systemic risk Article 55 Obligations of providers of general-purpose AI models with systemic risk 1.
Show original text
Providers of general-purpose AI models that pose systemic risks have specific obligations. In addition to the requirements in Articles 53 and 54, they must: (a) evaluate their models using standardized protocols and tools, including adversarial testing to identify and reduce systemic risks; (b) assess and address potential systemic risks at the Union level that may arise from the development, marketing, or use of these AI models; (c) track, document, and promptly report serious incidents and corrective actions to the AI Office and relevant national authorities; (d) ensure strong cybersecurity for both the AI model and its physical infrastructure. Providers can use codes of practice to show they meet these obligations until a standardized guideline is available. Following European harmonized standards can help them prove compliance. If they do not follow an approved code or standard, they must find other ways to demonstrate compliance for evaluation by the Commission. Any information collected under these obligations, including trade secrets, must be kept confidential as per Article 78.
unless the general-purpose AI models present systemic risks. SECTION 3 Obligations of providers of general-purpose AI models with systemic risk Article 55 Obligations of providers of general-purpose AI models with systemic risk 1. In addition to the obligations listed in Articles 53 and 54, providers of general-purpose AI models with systemic risk shall: (a) perform model evaluation in accordance with standardised protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks; (b) assess and mitigate possible systemic risks at Union level, including their sources, that may stem from the development, the placing on the market, or the use of general-purpose AI models with systemic risk; (c) keep track of, document, and report, without undue delay, to the AI Office and, as appropriate, to national competent authorities, relevant information about serious incidents and possible corrective measures to address them; (d) ensure an adequate level of cybersecurity protection for the general-purpose AI model with systemic risk and the physical infrastructure of the model. 2. Providers of general-purpose AI models with systemic risk may rely on codes of practice within the meaning of Article 56 to demonstrate compliance with the obligations set out in paragraph 1 of this Article, until a harmonised standard is published. Compliance with European harmonised standards grants providers the presumption of conformity to the extent that those standards cover those obligations. Providers of general-purpose AI models with systemic risks who do not adhere to an approved code of practice or do not comply with a European harmonised standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. 3. Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78.
Show original text
The standard must show alternative ways to comply for the Commission's review. Any information or documents obtained under this Article, including trade secrets, will be kept confidential as stated in Article 78. **SECTION 4: Codes of Practice** **Article 56: Codes of Practice** 1. The AI Office will promote and support the creation of codes of practice at the Union level to help implement this Regulation, considering international standards. 2. The AI Office and the Board will ensure that these codes of practice address at least the requirements in Articles 53 and 55, which include: (a) Keeping the information mentioned in Article 53(1), points (a) and (b), updated based on market and technology changes; (b) Providing enough detail in the summary about the content used for training; (c) Identifying systemic risks at the Union level, including their sources when relevant; (d) Establishing measures and procedures for assessing and managing these systemic risks, ensuring that documentation is proportional to the risks, considers their severity and likelihood, and addresses the specific challenges of managing these risks throughout the AI value chain. 3. The AI Office may invite all providers of general-purpose AI models and relevant national authorities to help create these codes of practice.
standard shall demonstrate alternative adequate means of compliance for assessment by the Commission. 3. Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78. SECTION 4 Codes of practice Article 56 Codes of practice 1. The AI Office shall encourage and facilitate the drawing up of codes of practice at Union level in order to contribute to the proper application of this Regulation, taking into account international approaches. 2. The AI Office and the Board shall aim to ensure that the codes of practice cover at least the obligations provided for in Articles 53 and 55, including the following issues: EN OJ L, 12.7.2024 86/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (a) the means to ensure that the information referred to in Article 53(1), points (a) and (b), is kept up to date in light of market and technological developments; (b) the adequate level of detail for the summary about the content used for training; (c) the identification of the type and nature of the systemic risks at Union level, including their sources, where appropriate; (d) the measures, procedures and modalities for the assessment and management of the systemic risks at Union level, including the documentation thereof, which shall be proportionate to the risks, take into consideration their severity and probability and take into account the specific challenges of tackling those risks in light of the possible ways in which such risks may emerge and materialise along the AI value chain. 3. The AI Office may invite all providers of general-purpose AI models, as well as relevant national competent authorities, to participate in the drawing-up of codes of practice.
Show original text
The AI Office will identify potential risks that may arise throughout the AI value chain. 1. The AI Office can invite all providers of general-purpose AI models and relevant national authorities to help create codes of practice. Civil society organizations, industry representatives, academic institutions, and other stakeholders, including downstream providers and independent experts, can also contribute to this process. 2. The AI Office and the Board will ensure that the codes of practice clearly define their goals and include commitments or measures, such as key performance indicators, to achieve these goals. They will consider the needs and interests of all stakeholders, including affected individuals, at the Union level. 3. The AI Office will require participants in the codes of practice to regularly report on how they are implementing their commitments and the results of those actions, including performance against key indicators. These indicators and reporting requirements will take into account the different sizes and capabilities of the participants. 4. The AI Office and the Board will continuously monitor and evaluate how well participants are meeting the objectives of the codes of practice and their compliance with the relevant regulations. They will check if the codes meet the obligations outlined in Articles 53 and 55 and will publish their evaluations of the codes' effectiveness. 5. The Commission can approve a code of practice through an implementing act, which will apply across the Union. This act will follow the examination procedure specified in Article 98(2). 6. The AI Office may invite all providers of general-purpose AI models to follow the codes of practice.
which such risks may emerge and materialise along the AI value chain. 3. The AI Office may invite all providers of general-purpose AI models, as well as relevant national competent authorities, to participate in the drawing-up of codes of practice. Civil society organisations, industry, academia and other relevant stakeholders, such as downstream providers and independent experts, may support the process. 4. The AI Office and the Board shall aim to ensure that the codes of practice clearly set out their specific objectives and contain commitments or measures, including key performance indicators as appropriate, to ensure the achievement of those objectives, and that they take due account of the needs and interests of all interested parties, including affected persons, at Union level. 5. The AI Office shall aim to ensure that participants to the codes of practice report regularly to the AI Office on the implementation of the commitments and the measures taken and their outcomes, including as measured against the key performance indicators as appropriate. Key performance indicators and reporting commitments shall reflect differences in size and capacity between various participants. 6. The AI Office and the Board shall regularly monitor and evaluate the achievement of the objectives of the codes of practice by the participants and their contribution to the proper application of this Regulation. The AI Office and the Board shall assess whether the codes of practice cover the obligations provided for in Articles 53 and 55, and shall regularly monitor and evaluate the achievement of their objectives. They shall publish their assessment of the adequacy of the codes of practice. The Commission may, by way of an implementing act, approve a code of practice and give it a general validity within the Union. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2). 7. The AI Office may invite all providers of general-purpose AI models to adhere to the codes of practice.
Show original text
The AI Office will create a general rule for the Union, following the examination procedure in Article 98(2). It can invite all providers of general-purpose AI models to follow the codes of practice. For those models that do not pose systemic risks, adherence may only include the obligations in Article 53, unless they express interest in the full code. The AI Office will also promote the review and update of these codes, especially as new standards emerge, and will help assess existing standards. The codes of practice must be ready by May 2, 2025, and the AI Office will take necessary actions, including inviting providers as mentioned earlier. If the codes are not finalized by August 2, 2025, or if the AI Office finds them inadequate, the Commission may establish common rules for implementing the obligations in Articles 53 and 55 through implementing acts, following the procedure in Article 98(2). In Chapter VI, Article 57 states that Member States must ensure their authorities set up at least one AI regulatory sandbox by August 2, 2026, which can be done in collaboration with authorities from other Member States.
general validity within the Union. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2). 7. The AI Office may invite all providers of general-purpose AI models to adhere to the codes of practice. For providers of general-purpose AI models not presenting systemic risks this adherence may be limited to the obligations provided for in Article 53, unless they declare explicitly their interest to join the full code. 8. The AI Office shall, as appropriate, also encourage and facilitate the review and adaptation of the codes of practice, in particular in light of emerging standards. The AI Office shall assist in the assessment of available standards. 9. Codes of practice shall be ready at the latest by 2 May 2025. The AI Office shall take the necessary steps, including inviting providers pursuant to paragraph 7. If, by 2 August 2025, a code of practice cannot be finalised, or if the AI Office deems it is not adequate following its assessment under paragraph 6 of this Article, the Commission may provide, by means of implementing acts, common rules for the implementation of the obligations provided for in Articles 53 and 55, including the issues set out in paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2). OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 87/144 CHAPTER VI MEASURES IN SUPPORT OF INNOVATION Article 57 AI regulatory sandboxes 1. Member States shall ensure that their competent authorities establish at least one AI regulatory sandbox at national level, which shall be operational by 2 August 2026. That sandbox may also be established jointly with the competent authorities of other Member States.
Show original text
Member States must ensure that their relevant authorities create at least one AI regulatory sandbox by August 2, 2026. This sandbox can be set up in collaboration with authorities from other Member States. The European Commission may offer technical support and resources for creating and running these sandboxes. Member States can also meet this requirement by joining an existing sandbox, as long as it provides similar national coverage. Additionally, more AI regulatory sandboxes can be created at regional or local levels, or in partnership with other Member States' authorities. The European Data Protection Supervisor can also create a sandbox for EU institutions and perform the functions of national authorities as outlined in this chapter. Member States must ensure that their authorities have enough resources to comply with these requirements promptly. They should collaborate with other relevant authorities and may involve other participants in the AI ecosystem. This regulation does not interfere with other sandboxes established under EU or national laws, and Member States should ensure cooperation between the authorities overseeing those sandboxes and the national authorities. The AI regulatory sandboxes must provide a controlled environment that encourages innovation and allows for the development, training, testing, and validation of new AI systems for a limited time before they are launched or used, based on a specific plan agreed upon by the providers and the competent authority. Testing may occur under real-world conditions within these sandboxes.
Member States shall ensure that their competent authorities establish at least one AI regulatory sandbox at national level, which shall be operational by 2 August 2026. That sandbox may also be established jointly with the competent authorities of other Member States. The Commission may provide technical support, advice and tools for the establishment and operation of AI regulatory sandboxes. The obligation under the first subparagraph may also be fulfilled by participating in an existing sandbox in so far as that participation provides an equivalent level of national coverage for the participating Member States. 2. Additional AI regulatory sandboxes at regional or local level, or established jointly with the competent authorities of other Member States may also be established. 3. The European Data Protection Supervisor may also establish an AI regulatory sandbox for Union institutions, bodies, offices and agencies, and may exercise the roles and the tasks of national competent authorities in accordance with this Chapter. 4. Member States shall ensure that the competent authorities referred to in paragraphs 1 and 2 allocate sufficient resources to comply with this Article effectively and in a timely manner. Where appropriate, national competent authorities shall cooperate with other relevant authorities, and may allow for the involvement of other actors within the AI ecosystem. This Article shall not affect other regulatory sandboxes established under Union or national law. Member States shall ensure an appropriate level of cooperation between the authorities supervising those other sandboxes and the national competent authorities. 5. AI regulatory sandboxes established under paragraph 1 shall provide for a controlled environment that fosters innovation and facilitates the development, training, testing and validation of innovative AI systems for a limited time before their being placed on the market or put into service pursuant to a specific sandbox plan agreed between the providers or prospective providers and the competent authority. Such sandboxes may include testing in real world conditions supervised therein. 6.
Show original text
Providers of AI systems can test their products in a controlled environment, known as an AI regulatory sandbox, before they are officially launched or used. This sandbox is created through an agreement between the providers and the relevant authority, allowing for real-world testing under supervision. The competent authorities will offer guidance, oversight, and support within the sandbox to help identify risks, especially those related to fundamental rights, health, and safety. They will also assess testing methods and their effectiveness in meeting the requirements of this Regulation and other applicable laws. Authorities will provide participating providers with information on regulatory expectations and how to meet the obligations outlined in this Regulation. If requested, they will issue written proof of the activities completed in the sandbox, along with an exit report summarizing the activities and results. Providers can use these documents to show compliance during the conformity assessment process or market surveillance. The exit reports and written proof will be positively considered by market surveillance authorities to speed up the conformity assessment process. With the provider's consent and following confidentiality rules, the Commission and the Board can access the exit reports for their regulatory tasks. If both the provider and the national authority agree, the exit report may also be made publicly available through a designated information platform.
a limited time before their being placed on the market or put into service pursuant to a specific sandbox plan agreed between the providers or prospective providers and the competent authority. Such sandboxes may include testing in real world conditions supervised therein. 6. Competent authorities shall provide, as appropriate, guidance, supervision and support within the AI regulatory sandbox with a view to identifying risks, in particular to fundamental rights, health and safety, testing, mitigation measures, and their effectiveness in relation to the obligations and requirements of this Regulation and, where relevant, other Union and national law supervised within the sandbox. 7. Competent authorities shall provide providers and prospective providers participating in the AI regulatory sandbox with guidance on regulatory expectations and how to fulfil the requirements and obligations set out in this Regulation. Upon request of the provider or prospective provider of the AI system, the competent authority shall provide a written proof of the activities successfully carried out in the sandbox. The competent authority shall also provide an exit report detailing the activities carried out in the sandbox and the related results and learning outcomes. Providers may use such documentation to demonstrate their compliance with this Regulation through the conformity assessment process or relevant market surveillance activities. In this regard, the exit reports and the written proof provided by the national competent authority shall be taken positively into account by market surveillance authorities and notified bodies, with a view to accelerating conformity assessment procedures to a reasonable extent. 8. Subject to the confidentiality provisions in Article 78, and with the agreement of the provider or prospective provider, the Commission and the Board shall be authorised to access the exit reports and shall take them into account, as appropriate, when exercising their tasks under this Regulation. If both the provider or prospective provider and the national competent authority explicitly agree, the exit report may be made publicly available through the single information platform referred to in this Article. 9.
Show original text
When carrying out their duties under this Regulation, both the provider (or potential provider) and the national authority can agree to make the exit report publicly available through the designated information platform mentioned in this Article. The purpose of establishing AI regulatory sandboxes is to achieve the following goals: (a) Enhance legal clarity to ensure compliance with this Regulation and other relevant Union and national laws; (b) Promote the sharing of best practices by collaborating with authorities involved in the AI regulatory sandbox; (c) Encourage innovation and competitiveness, and support the growth of an AI ecosystem; (d) Contribute to evidence-based regulatory learning; (e) Facilitate and speed up access to the Union market for AI systems, especially those provided by small and medium-sized enterprises (SMEs) and start-ups. National authorities must ensure that if innovative AI systems involve personal data processing or fall under the oversight of other authorities, the national data protection authorities and relevant competent authorities are included in the operation of the AI regulatory sandbox and participate in supervising these aspects according to their roles and powers. The AI regulatory sandboxes will not interfere with the supervisory or corrective powers of the authorities overseeing them, including at regional or local levels. If significant health, safety, or fundamental rights risks are identified during the development and testing of AI systems, appropriate measures must be taken to address them. National authorities have the authority to temporarily or permanently halt the testing process or participation in the sandbox if effective mitigation is not possible, and they must inform the AI Office of their decision.
appropriate, when exercising their tasks under this Regulation. If both the provider or prospective provider and the national competent authority explicitly agree, the exit report may be made publicly available through the single information platform referred to in this Article. 9. The establishment of AI regulatory sandboxes shall aim to contribute to the following objectives: (a) improving legal certainty to achieve regulatory compliance with this Regulation or, where relevant, other applicable Union and national law; EN OJ L, 12.7.2024 88/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (b) supporting the sharing of best practices through cooperation with the authorities involved in the AI regulatory sandbox; (c) fostering innovation and competitiveness and facilitating the development of an AI ecosystem; (d) contributing to evidence-based regulatory learning; (e) facilitating and accelerating access to the Union market for AI systems, in particular when provided by SMEs, including start-ups. 10. National competent authorities shall ensure that, to the extent the innovative AI systems involve the processing of personal data or otherwise fall under the supervisory remit of other national authorities or competent authorities providing or supporting access to data, the national data protection authorities and those other national or competent authorities are associated with the operation of the AI regulatory sandbox and involved in the supervision of those aspects to the extent of their respective tasks and powers. 11. The AI regulatory sandboxes shall not affect the supervisory or corrective powers of the competent authorities supervising the sandboxes, including at regional or local level. Any significant risks to health and safety and fundamental rights identified during the development and testing of such AI systems shall result in an adequate mitigation. National competent authorities shall have the power to temporarily or permanently suspend the testing process, or the participation in the sandbox if no effective mitigation is possible, and shall inform the AI Office of such decision.
Show original text
National authorities can temporarily or permanently stop the testing process or participation in the AI regulatory sandbox if effective solutions are not found. They must inform the AI Office of their decision. These authorities will use their legal powers to support AI innovation in the Union while following the law. Providers in the AI sandbox are responsible for any damage caused during their experiments. However, if they follow the rules and guidance from the national authority, they won't face administrative fines for breaking regulations. If other authorities were involved in supervising the AI system and provided compliance guidance, no fines will be imposed for those laws either. The AI sandboxes will be set up to encourage cooperation between national authorities across borders. National authorities will work together and coordinate their efforts through the Board. They must inform the AI Office and the Board when a sandbox is established and can request support. The AI Office will maintain and publicly share a list of current and planned sandboxes to promote interaction and cooperation.
systems shall result in an adequate mitigation. National competent authorities shall have the power to temporarily or permanently suspend the testing process, or the participation in the sandbox if no effective mitigation is possible, and shall inform the AI Office of such decision. National competent authorities shall exercise their supervisory powers within the limits of the relevant law, using their discretionary powers when implementing legal provisions in respect of a specific AI regulatory sandbox project, with the objective of supporting innovation in AI in the Union. 12. Providers and prospective providers participating in the AI regulatory sandbox shall remain liable under applicable Union and national liability law for any damage inflicted on third parties as a result of the experimentation taking place in the sandbox. However, provided that the prospective providers observe the specific plan and the terms and conditions for their participation and follow in good faith the guidance given by the national competent authority, no administrative fines shall be imposed by the authorities for infringements of this Regulation. Where other competent authorities responsible for other Union and national law were actively involved in the supervision of the AI system in the sandbox and provided guidance for compliance, no administrative fines shall be imposed regarding that law. 13. The AI regulatory sandboxes shall be designed and implemented in such a way that, where relevant, they facilitate cross-border cooperation between national competent authorities. 14. National competent authorities shall coordinate their activities and cooperate within the framework of the Board. 15. National competent authorities shall inform the AI Office and the Board of the establishment of a sandbox, and may ask them for support and guidance. The AI Office shall make publicly available a list of planned and existing sandboxes and keep it up to date in order to encourage more interaction in the AI regulatory sandboxes and cross-border cooperation. 16.
Show original text
The AI Office will provide a public list of both planned and existing AI regulatory sandboxes, keeping it updated to promote interaction and cooperation across borders. National authorities must submit annual reports to the AI Office and the Board starting one year after the sandbox is established, and continue doing so each year until it ends, along with a final report. These reports will detail the progress and outcomes of the sandboxes, including best practices, incidents, lessons learned, and recommendations for their setup and potential revisions to the regulation. The national authorities will also make these reports or summaries available online for the public. The Commission will consider these annual reports when fulfilling its responsibilities under this regulation. Additionally, the Commission will create a single interface that contains all relevant information about AI regulatory sandboxes, allowing stakeholders to interact with them, ask questions to the authorities, and seek informal guidance on compliance for innovative AI-related products and services. The Commission will coordinate with national authorities as needed.
may ask them for support and guidance. The AI Office shall make publicly available a list of planned and existing sandboxes and keep it up to date in order to encourage more interaction in the AI regulatory sandboxes and cross-border cooperation. 16. National competent authorities shall submit annual reports to the AI Office and to the Board, from one year after the establishment of the AI regulatory sandbox and every year thereafter until its termination, and a final report. Those reports shall provide information on the progress and results of the implementation of those sandboxes, including best practices, incidents, lessons learnt and recommendations on their setup and, where relevant, on the application and possible revision of this Regulation, including its delegated and implementing acts, and on the application of other Union law supervised by the competent authorities within the sandbox. The national competent authorities shall make those annual reports or abstracts thereof available to the public, online. The Commission shall, where appropriate, take the annual reports into account when exercising its tasks under this Regulation. 17. The Commission shall develop a single and dedicated interface containing all relevant information related to AI regulatory sandboxes to allow stakeholders to interact with AI regulatory sandboxes and to raise enquiries with competent authorities, and to seek non-binding guidance on the conformity of innovative products, services, business models embedding AI technologies, in accordance with Article 62(1), point (c). The Commission shall proactively coordinate with national competent authorities, where relevant. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 89/144 Article 58 Detailed arrangements for, and functioning of, AI regulatory sandboxes 1.
Show original text
In 2024, the European Commission will create rules for AI regulatory sandboxes to ensure consistency across the EU. These rules will cover: (a) criteria for who can participate in the sandbox; (b) the application process, monitoring, and how to exit the sandbox; and (c) the terms for participants. The Commission will adopt these rules following a specific examination process. The rules will ensure that: (a) anyone who meets the eligibility criteria can apply, and national authorities must inform applicants of their decision within three months; (b) the sandboxes will be accessible to all and can accommodate demand, allowing partnerships with other relevant parties; (c) national authorities have the flexibility to manage their sandboxes; (d) participation is free for small and medium-sized enterprises (SMEs) and start-ups, although some costs may be recovered; and (e) the sandboxes will help participants learn and comply with regulations.
.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 89/144 Article 58 Detailed arrangements for, and functioning of, AI regulatory sandboxes 1. In order to avoid fragmentation across the Union, the Commission shall adopt implementing acts specifying the detailed arrangements for the establishment, development, implementation, operation and supervision of the AI regulatory sandboxes. The implementing acts shall include common principles on the following issues: (a) eligibility and selection criteria for participation in the AI regulatory sandbox; (b) procedures for the application, participation, monitoring, exiting from and termination of the AI regulatory sandbox, including the sandbox plan and the exit report; (c) the terms and conditions applicable to the participants. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2). 2. The implementing acts referred to in paragraph 1 shall ensure: (a) that AI regulatory sandboxes are open to any applying provider or prospective provider of an AI system who fulfils eligibility and selection criteria, which shall be transparent and fair, and that national competent authorities inform applicants of their decision within three months of the application; (b) that AI regulatory sandboxes allow broad and equal access and keep up with demand for participation; providers and prospective providers may also submit applications in partnerships with deployers and other relevant third parties; (c) that the detailed arrangements for, and conditions concerning AI regulatory sandboxes support, to the best extent possible, flexibility for national competent authorities to establish and operate their AI regulatory sandboxes; (d) that access to the AI regulatory sandboxes is free of charge for SMEs, including start-ups, without prejudice to exceptional costs that national competent authorities may recover in a fair and proportionate manner; (e) that they facilitate providers and prospective providers, by means of the learning outcomes of the AI regulatory sandboxes, in complying
Show original text
Start-ups can recover exceptional costs fairly and proportionately. AI regulatory sandboxes help providers and potential providers meet compliance requirements under this Regulation and follow the voluntary codes of conduct mentioned in Article 95. These sandboxes also encourage collaboration among various stakeholders in the AI ecosystem, including notified bodies, standardization organizations, small and medium-sized enterprises (SMEs), start-ups, innovators, testing facilities, research labs, European Digital Innovation Hubs, centers of excellence, and individual researchers, to foster cooperation between public and private sectors. The application, selection, participation, and exit processes for the AI regulatory sandbox should be simple, clear, and easy to understand, making it easier for SMEs and start-ups with limited legal and administrative resources to participate. These processes should be consistent across the EU to prevent fragmentation, ensuring that participation in a sandbox established by a Member State or the European Data Protection Supervisor is recognized uniformly and has the same legal implications throughout the Union. Participation in the AI regulatory sandbox should be limited to a timeframe that suits the project's complexity and scale, with the possibility of extension by the national authority. Additionally, AI regulatory sandboxes should support the creation of tools and infrastructure for testing, benchmarking, assessing, and explaining important aspects of AI systems, such as accuracy, robustness, and cybersecurity, as well as measures to mitigate risks to fundamental rights and society.
start-ups, without prejudice to exceptional costs that national competent authorities may recover in a fair and proportionate manner; (e) that they facilitate providers and prospective providers, by means of the learning outcomes of the AI regulatory sandboxes, in complying with conformity assessment obligations under this Regulation and the voluntary application of the codes of conduct referred to in Article 95; (f) that AI regulatory sandboxes facilitate the involvement of other relevant actors within the AI ecosystem, such as notified bodies and standardisation organisations, SMEs, including start-ups, enterprises, innovators, testing and experimenta­ tion facilities, research and experimentation labs and European Digital Innovation Hubs, centres of excellence, individual researchers, in order to allow and facilitate cooperation with the public and private sectors; (g) that procedures, processes and administrative requirements for application, selection, participation and exiting the AI regulatory sandbox are simple, easily intelligible, and clearly communicated in order to facilitate the participation of SMEs, including start-ups, with limited legal and administrative capacities and are streamlined across the Union, in order to avoid fragmentation and that participation in an AI regulatory sandbox established by a Member State, or by the European Data Protection Supervisor is mutually and uniformly recognised and carries the same legal effects across the Union; (h) that participation in the AI regulatory sandbox is limited to a period that is appropriate to the complexity and scale of the project and that may be extended by the national competent authority; (i) that AI regulatory sandboxes facilitate the development of tools and infrastructure for testing, benchmarking, assessing and explaining dimensions of AI systems relevant for regulatory learning, such as accuracy, robustness and cybersecurity, as well as measures to mitigate risks to fundamental rights and society at large. 3.
Show original text
The AI regulatory framework includes systems for testing and evaluating AI technologies, focusing on important aspects like accuracy, reliability, and cybersecurity. It also aims to address risks to fundamental rights and society. Small and medium-sized enterprises (SMEs) and start-ups participating in AI regulatory sandboxes will receive guidance on how to implement these regulations, along with access to services that help with standardization, certification, testing, and innovation hubs. National authorities can allow real-world testing within these sandboxes, but they must agree on the testing conditions and safeguards to protect fundamental rights and public safety. They should also work together to ensure consistent practices across the European Union. In the AI regulatory sandbox, personal data that has been legally collected for other purposes can be used to develop, train, and test AI systems, provided that these systems are aimed at serving a significant public interest. This includes areas like public safety and health, such as disease detection and healthcare improvement.
and infrastructure for testing, benchmarking, assessing and explaining dimensions of AI systems relevant for regulatory learning, such as accuracy, robustness and cybersecurity, as well as measures to mitigate risks to fundamental rights and society at large. 3. Prospective providers in the AI regulatory sandboxes, in particular SMEs and start-ups, shall be directed, where relevant, to pre-deployment services such as guidance on the implementation of this Regulation, to other value-adding services such as help with standardisation documents and certification, testing and experimentation facilities, European Digital Innovation Hubs and centres of excellence. EN OJ L, 12.7.2024 90/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 4. Where national competent authorities consider authorising testing in real world conditions supervised within the framework of an AI regulatory sandbox to be established under this Article, they shall specifically agree the terms and conditions of such testing and, in particular, the appropriate safeguards with the participants, with a view to protecting fundamental rights, health and safety. Where appropriate, they shall cooperate with other national competent authorities with a view to ensuring consistent practices across the Union. Article 59 Further processing of personal data for developing certain AI systems in the public interest in the AI regulatory sandbox 1. In the AI regulatory sandbox, personal data lawfully collected for other purposes may be processed solely for the purpose of developing, training and testing certain AI systems in the sandbox when all of the following conditions are met: (a) AI systems shall be developed for safeguarding substantial public interest by a public authority or another natural or legal person and in one or more of the following areas: (i) public safety and public health, including disease detection, diagnosis prevention, control and treatment and improvement of health care systems; (ii) a high level of protection and improvement of the quality of
Show original text
The following areas are covered: (i) public safety and health, including disease detection, diagnosis, prevention, control, treatment, and improving healthcare systems; (ii) enhancing environmental quality, protecting biodiversity, reducing pollution, and addressing climate change; (iii) ensuring energy sustainability; (iv) improving the safety and resilience of transportation systems and critical infrastructure; (v) increasing the efficiency and quality of public administration and services. Additionally: (b) the data used must be necessary to meet specific requirements that cannot be fulfilled with anonymized or non-personal data; (c) there must be effective monitoring to identify and address any high risks to individuals' rights during the sandbox testing, with mechanisms to mitigate these risks; (d) personal data must be processed in a secure, isolated environment controlled by the provider, with access limited to authorized personnel; (e) data can only be shared according to EU data protection laws, and personal data from the sandbox cannot be shared outside of it; (f) processing personal data in the sandbox should not affect individuals' rights or lead to decisions impacting them; (g) personal data must be protected with appropriate measures and deleted after the sandbox participation ends.
in one or more of the following areas: (i) public safety and public health, including disease detection, diagnosis prevention, control and treatment and improvement of health care systems; (ii) a high level of protection and improvement of the quality of the environment, protection of biodiversity, protection against pollution, green transition measures, climate change mitigation and adaptation measures; (iii) energy sustainability; (iv) safety and resilience of transport systems and mobility, critical infrastructure and networks; (v) efficiency and quality of public administration and public services; (b) the data processed are necessary for complying with one or more of the requirements referred to in Chapter III, Section 2 where those requirements cannot effectively be fulfilled by processing anonymised, synthetic or other non-personal data; (c) there are effective monitoring mechanisms to identify if any high risks to the rights and freedoms of the data subjects, as referred to in Article 35 of Regulation (EU) 2016/679 and in Article 39 of Regulation (EU) 2018/1725, may arise during the sandbox experimentation, as well as response mechanisms to promptly mitigate those risks and, where necessary, stop the processing; (d) any personal data to be processed in the context of the sandbox are in a functionally separate, isolated and protected data processing environment under the control of the prospective provider and only authorised persons have access to those data; (e) providers can further share the originally collected data only in accordance with Union data protection law; any personal data created in the sandbox cannot be shared outside the sandbox; (f) any processing of personal data in the context of the sandbox neither leads to measures or decisions affecting the data subjects nor does it affect the application of their rights laid down in Union law on the protection of personal data; (g) any personal data processed in the context of the sandbox are protected by means of appropriate technical and organisational measures and deleted once the participation in the sandbox has
Show original text
Individuals can exercise their rights under Union law regarding personal data protection. Any personal data used in the sandbox will be safeguarded with appropriate technical and organizational measures and will be deleted once participation ends or the data retention period expires. Logs of personal data processing in the sandbox will be maintained for the duration of participation, unless otherwise specified by Union or national law. A detailed description of the training, testing, and validation process for the AI system, along with testing results, will be included in the technical documentation as outlined in Annex IV. A brief summary of the AI project, its goals, and expected outcomes will be published on the competent authorities' website, excluding sensitive operational data related to law enforcement, border control, immigration, or asylum activities. For the prevention, investigation, detection, or prosecution of crimes, or for enforcing criminal penalties, the processing of personal data in AI regulatory sandboxes will be governed by specific Union or national laws and must meet the same conditions mentioned earlier.
application of their rights laid down in Union law on the protection of personal data; (g) any personal data processed in the context of the sandbox are protected by means of appropriate technical and organisational measures and deleted once the participation in the sandbox has terminated or the personal data has reached the end of its retention period; (h) the logs of the processing of personal data in the context of the sandbox are kept for the duration of the participation in the sandbox, unless provided otherwise by Union or national law; (i) a complete and detailed description of the process and rationale behind the training, testing and validation of the AI system is kept together with the testing results as part of the technical documentation referred to in Annex IV; OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 91/144 (j) a short summary of the AI project developed in the sandbox, its objectives and expected results is published on the website of the competent authorities; this obligation shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities. 2. For the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security, under the control and responsibility of law enforcement authorities, the processing of personal data in AI regulatory sandboxes shall be based on a specific Union or national law and subject to the same cumulative conditions as referred to in paragraph 1. 3.
Show original text
Law enforcement authorities are responsible for processing personal data in AI regulatory sandboxes, which must follow specific Union or national laws and meet certain conditions. This does not affect laws that restrict the use of personal data for purposes not explicitly stated, nor does it impact laws that allow data processing necessary for developing, testing, or training innovative AI systems, as long as they comply with Union data protection laws. Article 60 discusses the testing of high-risk AI systems in real-world conditions outside of AI regulatory sandboxes. Providers of these systems, listed in Annex III, can conduct testing according to a real-world testing plan, while still adhering to the prohibitions outlined in Article 5. The Commission will define the details of this testing plan through implementing acts, following the examination procedure in Article 98(2). This testing must also comply with any relevant Union or national laws regarding high-risk AI systems related to products covered by Union harmonization legislation in Annex I. Providers can test their high-risk AI systems in real-world conditions at any time before they are marketed or put into service, either independently or in collaboration with others. Additionally, this testing must still comply with any ethical reviews required by Union or national law.
under the control and responsibility of law enforcement authorities, the processing of personal data in AI regulatory sandboxes shall be based on a specific Union or national law and subject to the same cumulative conditions as referred to in paragraph 1. 3. Paragraph 1 is without prejudice to Union or national law which excludes processing of personal data for other purposes than those explicitly mentioned in that law, as well as to Union or national law laying down the basis for the processing of personal data which is necessary for the purpose of developing, testing or training of innovative AI systems or any other legal basis, in compliance with Union law on the protection of personal data. Article 60 Testing of high-risk AI systems in real world conditions outside AI regulatory sandboxes 1. Testing of high-risk AI systems in real world conditions outside AI regulatory sandboxes may be conducted by providers or prospective providers of high-risk AI systems listed in Annex III, in accordance with this Article and the real-world testing plan referred to in this Article, without prejudice to the prohibitions under Article 5. The Commission shall, by means of implementing acts, specify the detailed elements of the real-world testing plan. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2). This paragraph shall be without prejudice to Union or national law on the testing in real world conditions of high-risk AI systems related to products covered by Union harmonisation legislation listed in Annex I. 2. Providers or prospective providers may conduct testing of high-risk AI systems referred to in Annex III in real world conditions at any time before the placing on the market or the putting into service of the AI system on their own or in partnership with one or more deployers or prospective deployers. 3. The testing of high-risk AI systems in real world conditions under this Article shall be without prejudice to any ethical review that is required by Union or national law. 4.
Show original text
Providers or potential providers of high-risk AI systems must partner with one or more deployers to conduct real-world testing. This testing must comply with any ethical reviews required by Union or national law. To conduct this testing, the following conditions must be met: (a) The provider must create a real-world testing plan and submit it to the market surveillance authority in the Member State where the testing will occur. (b) The market surveillance authority must approve the testing plan. If they do not respond within 30 days, the plan is automatically approved unless national law states otherwise, in which case authorization is still needed. (c) The provider must register the testing with a unique identification number and the required information. However, providers of high-risk AI systems related to law enforcement, migration, asylum, and border control must register their testing in a secure, non-public section of the EU database.
partnership with one or more deployers or prospective deployers. 3. The testing of high-risk AI systems in real world conditions under this Article shall be without prejudice to any ethical review that is required by Union or national law. 4. Providers or prospective providers may conduct the testing in real world conditions only where all of the following conditions are met: (a) the provider or prospective provider has drawn up a real-world testing plan and submitted it to the market surveillance authority in the Member State where the testing in real world conditions is to be conducted; (b) the market surveillance authority in the Member State where the testing in real world conditions is to be conducted has approved the testing in real world conditions and the real-world testing plan; where the market surveillance authority has not provided an answer within 30 days, the testing in real world conditions and the real-world testing plan shall be understood to have been approved; where national law does not provide for a tacit approval, the testing in real world conditions shall remain subject to an authorisation; (c) the provider or prospective provider, with the exception of providers or prospective providers of high-risk AI systems referred to in points 1, 6 and 7 of Annex III in the areas of law enforcement, migration, asylum and border control management, and high-risk AI systems referred to in point 2 of Annex III has registered the testing in real world conditions in accordance with Article 71(4) with a Union-wide unique single identification number and with the information specified in Annex IX; the provider or prospective provider of high-risk AI systems referred to in points 1, 6 and 7 of Annex III in the areas of law enforcement, migration, asylum and border control management, has registered the testing in real-world conditions in the secure non-public section of the EU database according to Article 49(4), point (d), with a Union-wide unique single identification number and with
Show original text
The management of migration, asylum, and border control has recorded the testing of high-risk AI systems in real-world conditions within a secure, non-public section of the EU database, as outlined in Article 49(4)(d). This includes a unique identification number and the required information. Providers of these AI systems must also register their real-world testing according to Article 49(5). Key points include: (d) The provider or potential provider conducting the testing must be based in the EU or have a legal representative in the EU. (e) Data collected during testing can only be shared with third countries if proper safeguards under EU law are in place. (f) Testing should not exceed six months, although it can be extended for another six months with prior notification to the market surveillance authority, including a justification for the extension. (g) Individuals from vulnerable groups, such as those with disabilities or the elderly, must be adequately protected during testing. (h) If the testing involves collaboration with other organizations, they must be informed about all relevant aspects of the testing and receive instructions on using the AI system. An agreement must be established between the provider and the collaborating organizations to clarify their roles and responsibilities.
, migration, asylum and border control management, has registered the testing in real-world conditions in the secure non-public section of the EU database according to Article 49(4), point (d), with a Union-wide unique single identification number and with the information specified therein; the provider or prospective provider of high-risk AI systems referred to in point 2 of Annex III has registered the testing in real-world conditions in accordance with Article 49(5); EN OJ L, 12.7.2024 92/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (d) the provider or prospective provider conducting the testing in real world conditions is established in the Union or has appointed a legal representative who is established in the Union; (e) data collected and processed for the purpose of the testing in real world conditions shall be transferred to third countries only provided that appropriate and applicable safeguards under Union law are implemented; (f) the testing in real world conditions does not last longer than necessary to achieve its objectives and in any case not longer than six months, which may be extended for an additional period of six months, subject to prior notification by the provider or prospective provider to the market surveillance authority, accompanied by an explanation of the need for such an extension; (g) the subjects of the testing in real world conditions who are persons belonging to vulnerable groups due to their age or disability, are appropriately protected; (h) where a provider or prospective provider organises the testing in real world conditions in cooperation with one or more deployers or prospective deployers, the latter have been informed of all aspects of the testing that are relevant to their decision to participate, and given the relevant instructions for use of the AI system referred to in Article 13; the provider or prospective provider and the deployer or prospective deployer shall conclude an agreement specifying their roles and responsibilities with
Show original text
Before participating in the AI system testing, both the provider (or potential provider) and the deployer (or potential deployer) must sign an agreement that outlines their roles and responsibilities. This ensures they comply with testing regulations and other relevant laws. The following conditions must be met: (i) Participants in the testing must give informed consent as per Article 61. If obtaining consent is not possible for law enforcement purposes, the testing must not harm the participants, and their personal data must be deleted after the test. (j) The testing must be supervised by qualified individuals from both the provider and deployer who have the necessary training and authority. (k) The AI system's predictions, recommendations, or decisions must be reversible and can be ignored. Participants or their legal representatives can withdraw from the testing at any time without penalty, simply by revoking their consent, and they can request the immediate deletion of their personal data. This withdrawal does not affect any actions already taken. According to Article 75, Member States must empower their market surveillance authorities to require information from providers, conduct unannounced inspections, and check the testing of high-risk AI systems.
to their decision to participate, and given the relevant instructions for use of the AI system referred to in Article 13; the provider or prospective provider and the deployer or prospective deployer shall conclude an agreement specifying their roles and responsibilities with a view to ensuring compliance with the provisions for testing in real world conditions under this Regulation and under other applicable Union and national law; (i) the subjects of the testing in real world conditions have given informed consent in accordance with Article 61, or in the case of law enforcement, where the seeking of informed consent would prevent the AI system from being tested, the testing itself and the outcome of the testing in the real world conditions shall not have any negative effect on the subjects, and their personal data shall be deleted after the test is performed; (j) the testing in real world conditions is effectively overseen by the provider or prospective provider, as well as by deployers or prospective deployers through persons who are suitably qualified in the relevant field and have the necessary capacity, training and authority to perform their tasks; (k) the predictions, recommendations or decisions of the AI system can be effectively reversed and disregarded. 5. Any subjects of the testing in real world conditions, or their legally designated representative, as appropriate, may, without any resulting detriment and without having to provide any justification, withdraw from the testing at any time by revoking their informed consent and may request the immediate and permanent deletion of their personal data. The withdrawal of the informed consent shall not affect the activities already carried out. 6. In accordance with Article 75, Member States shall confer on their market surveillance authorities the powers of requiring providers and prospective providers to provide information, of carrying out unannounced remote or on-site inspections, and of performing checks on the conduct of the testing in real world conditions and the related high-risk AI systems.
Show original text
Market surveillance authorities have the power to require information from providers and potential providers, conduct unannounced inspections (either remotely or on-site), and check how testing is performed in real-world conditions for high-risk AI systems. They will use these powers to ensure that testing is conducted safely in real-world settings. If a serious incident occurs during this testing, it must be reported to the national market surveillance authority as outlined in Article 73. The provider or potential provider must take immediate action to address the issue, which may include suspending the testing until the problem is resolved or terminating it altogether. They must also have a plan in place to quickly recall the AI system if testing is terminated. Providers or potential providers are required to inform the national market surveillance authority in the Member State where the testing is taking place about any suspension or termination of the testing and the final results. Additionally, providers or potential providers are responsible for any damage caused during their testing in real-world conditions, according to applicable Union and national liability laws.
powers of requiring providers and prospective providers to provide information, of carrying out unannounced remote or on-site inspections, and of performing checks on the conduct of the testing in real world conditions and the related high-risk AI systems. Market surveillance authorities shall use those powers to ensure the safe development of testing in real world conditions. 7. Any serious incident identified in the course of the testing in real world conditions shall be reported to the national market surveillance authority in accordance with Article 73. The provider or prospective provider shall adopt immediate mitigation measures or, failing that, shall suspend the testing in real world conditions until such mitigation takes place, or otherwise terminate it. The provider or prospective provider shall establish a procedure for the prompt recall of the AI system upon such termination of the testing in real world conditions. 8. Providers or prospective providers shall notify the national market surveillance authority in the Member State where the testing in real world conditions is to be conducted of the suspension or termination of the testing in real world conditions and of the final outcomes. 9. The provider or prospective provider shall be liable under applicable Union and national liability law for any damage caused in the course of their testing in real world conditions. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 93/144 Article 61 Informed consent to participate in testing in real world conditions outside AI regulatory sandboxes 1.
Show original text
Article 61 outlines the requirements for obtaining informed consent from individuals participating in real-world testing of AI systems, as specified in Article 60. Before participating, individuals must be given clear and understandable information about: (a) the purpose of the testing and any potential inconveniences; (b) the conditions of the testing, including how long it will last; (c) their rights, including the right to refuse or withdraw from the testing at any time without penalty; (d) how to request changes to the AI system's predictions or decisions; and (e) the unique identification number for the testing and contact information for the provider. The consent must be documented with a date, and a copy must be provided to the participants or their legal representatives.
EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 93/144 Article 61 Informed consent to participate in testing in real world conditions outside AI regulatory sandboxes 1. For the purpose of testing in real world conditions under Article 60, freely-given informed consent shall be obtained from the subjects of testing prior to their participation in such testing and after their having been duly informed with concise, clear, relevant, and understandable information regarding: (a) the nature and objectives of the testing in real world conditions and the possible inconvenience that may be linked to their participation; (b) the conditions under which the testing in real world conditions is to be conducted, including the expected duration of the subject or subjects’ participation; (c) their rights, and the guarantees regarding their participation, in particular their right to refuse to participate in, and the right to withdraw from, testing in real world conditions at any time without any resulting detriment and without having to provide any justification; (d) the arrangements for requesting the reversal or the disregarding of the predictions, recommendations or decisions of the AI system; (e) the Union-wide unique single identification number of the testing in real world conditions in accordance with Article 60(4) point (c), and the contact details of the provider or its legal representative from whom further information can be obtained. 2. The informed consent shall be dated and documented and a copy shall be given to the subjects of testing or their legal representative. Article 62 Measures for providers and deployers, in particular SMEs, including start-ups 1.
Show original text
Informed consent must be dated and documented, and a copy should be given to the participants or their legal representatives. **Article 62: Support for Providers and Deployers, Especially SMEs and Start-ups** 1. Member States must take the following actions: (a) Give priority access to AI regulatory sandboxes for SMEs and start-ups with a registered office or branch in the EU, as long as they meet eligibility criteria. Other SMEs and start-ups can also access the sandboxes if they meet the same criteria. (b) Organize training and awareness programs about this Regulation specifically for SMEs, start-ups, deployers, and relevant local public authorities. (c) Use existing communication channels and create new ones to provide advice and answer questions for SMEs, start-ups, deployers, and local public authorities regarding this Regulation and participation in AI regulatory sandboxes. (d) Help SMEs and other stakeholders take part in the standardization development process. 2. When setting fees for conformity assessments under Article 43, the specific needs of SME providers and start-ups will be considered, and fees will be reduced based on their size, market size, and other relevant factors. 3. The AI Office will: (a) Provide standardized templates for areas covered by this Regulation as requested by the Board. (b) Create and maintain a single information platform that offers easy-to-understand information about this Regulation for all operators in the EU.
. The informed consent shall be dated and documented and a copy shall be given to the subjects of testing or their legal representative. Article 62 Measures for providers and deployers, in particular SMEs, including start-ups 1. Member States shall undertake the following actions: (a) provide SMEs, including start-ups, having a registered office or a branch in the Union, with priority access to the AI regulatory sandboxes, to the extent that they fulfil the eligibility conditions and selection criteria; the priority access shall not preclude other SMEs, including start-ups, other than those referred to in this paragraph from access to the AI regulatory sandbox, provided that they also fulfil the eligibility conditions and selection criteria; (b) organise specific awareness raising and training activities on the application of this Regulation tailored to the needs of SMEs including start-ups, deployers and, as appropriate, local public authorities; (c) utilise existing dedicated channels and where appropriate, establish new ones for communication with SMEs including start-ups, deployers, other innovators and, as appropriate, local public authorities to provide advice and respond to queries about the implementation of this Regulation, including as regards participation in AI regulatory sandboxes; (d) facilitate the participation of SMEs and other relevant stakeholders in the standardisation development process. 2. The specific interests and needs of the SME providers, including start-ups, shall be taken into account when setting the fees for conformity assessment under Article 43, reducing those fees proportionately to their size, market size and other relevant indicators. 3. The AI Office shall undertake the following actions: (a) provide standardised templates for areas covered by this Regulation, as specified by the Board in its request; (b) develop and maintain a single information platform providing easy to use information in relation to this Regulation for all operators across the Union; EN OJ L, 12.7.
Show original text
The Board has requested the following actions regarding this Regulation: (b) Create and maintain a user-friendly information platform for all operators in the Union to access information related to this Regulation. (c) Launch communication campaigns to inform people about their obligations under this Regulation. (d) Assess and promote the adoption of best practices in public procurement procedures for AI systems. Article 63: Exceptions for Specific Operators 1. Microenterprises, as defined by Recommendation 2003/361/EC, can meet some parts of the quality management system required by Article 17 of this Regulation in a simpler way, as long as they do not have partner or linked enterprises. The Commission will provide guidelines on which parts of the quality management system can be simplified for microenterprises, ensuring that safety and compliance with high-risk AI system requirements are still maintained. 2. This simplification does not exempt these operators from meeting other requirements or obligations outlined in this Regulation, including those in Articles 9, 10, 11, 12, 13, 14, 15, 72, and 73. CHAPTER VII: GOVERNANCE SECTION 1: Governance at Union Level Article 64: AI Office 1. The Commission will build expertise and capabilities in AI through the AI Office. 2. Member States will support the AI Office in carrying out its tasks as described in this Regulation. Article 65: Establishment and Structure of the European Artificial Intelligence Board
this Regulation, as specified by the Board in its request; (b) develop and maintain a single information platform providing easy to use information in relation to this Regulation for all operators across the Union; EN OJ L, 12.7.2024 94/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (c) organise appropriate communication campaigns to raise awareness about the obligations arising from this Regulation; (d) evaluate and promote the convergence of best practices in public procurement procedures in relation to AI systems. Article 63 Derogations for specific operators 1. Microenterprises within the meaning of Recommendation 2003/361/EC may comply with certain elements of the quality management system required by Article 17 of this Regulation in a simplified manner, provided that they do not have partner enterprises or linked enterprises within the meaning of that Recommendation. For that purpose, the Commission shall develop guidelines on the elements of the quality management system which may be complied with in a simplified manner considering the needs of microenterprises, without affecting the level of protection or the need for compliance with the requirements in respect of high-risk AI systems. 2. Paragraph 1 of this Article shall not be interpreted as exempting those operators from fulfilling any other requirements or obligations laid down in this Regulation, including those established in Articles 9, 10, 11, 12, 13, 14, 15, 72 and 73. CHAPTER VII GOVERNANCE SECTION 1 Governance at Union level Article 64 AI Office 1. The Commission shall develop Union expertise and capabilities in the field of AI through the AI Office. 2. Member States shall facilitate the tasks entrusted to the AI Office, as reflected in this Regulation. Article 65 Establishment and structure of the European Artificial Intelligence Board 1.
Show original text
The AI Office will enhance expertise and capabilities in the field of AI. Member States are required to support the AI Office in its tasks as outlined in this Regulation. Article 65 establishes the European Artificial Intelligence Board (the 'Board'). 1. The Board will consist of one representative from each Member State, with the European Data Protection Supervisor attending as an observer. The AI Office will also be present at the Board's meetings but will not vote. Other relevant national and Union authorities or experts may be invited to participate in meetings as needed. 2. Each Member State will appoint a representative for a three-year term, which can be renewed once. 3. Member States must ensure their representatives: (a) have the necessary skills and authority to actively contribute to the Board's tasks as mentioned in Article 66; (b) serve as the main contact point for the Board and, if needed, for stakeholders; (c) help maintain consistency and coordination among national authorities regarding the implementation of this Regulation, including gathering relevant data and information. 4. The representatives will adopt the Board's rules of procedure with a two-thirds majority vote.
expertise and capabilities in the field of AI through the AI Office. 2. Member States shall facilitate the tasks entrusted to the AI Office, as reflected in this Regulation. Article 65 Establishment and structure of the European Artificial Intelligence Board 1. A European Artificial Intelligence Board (the ‘Board’) is hereby established. 2. The Board shall be composed of one representative per Member State. The European Data Protection Supervisor shall participate as observer. The AI Office shall also attend the Board’s meetings, without taking part in the votes. Other national and Union authorities, bodies or experts may be invited to the meetings by the Board on a case by case basis, where the issues discussed are of relevance for them. 3. Each representative shall be designated by their Member State for a period of three years, renewable once. 4. Member States shall ensure that their representatives on the Board: (a) have the relevant competences and powers in their Member State so as to contribute actively to the achievement of the Board’s tasks referred to in Article 66; (b) are designated as a single contact point vis-à-vis the Board and, where appropriate, taking into account Member States’ needs, as a single contact point for stakeholders; OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 95/144 (c) are empowered to facilitate consistency and coordination between national competent authorities in their Member State as regards the implementation of this Regulation, including through the collection of relevant data and information for the purpose of fulfilling their tasks on the Board. 5. The designated representatives of the Member States shall adopt the Board’s rules of procedure by a two-thirds majority.
Show original text
This Regulation includes collecting relevant data and information to help the Board fulfill its tasks. 5. The representatives from the Member States will approve the Board’s rules of procedure with a two-thirds majority. These rules will outline how to select the Chair, the length of their term, their responsibilities, voting procedures, and how the Board and its sub-groups will operate. 6. The Board will create two permanent sub-groups to promote cooperation and information sharing among market surveillance authorities and notifying authorities regarding market surveillance and notified bodies. The market surveillance sub-group will serve as the administrative cooperation group (ADCO) as defined in Article 30 of Regulation (EU) 2019/1020. The Board may also form additional sub-groups, either permanent or temporary, to address specific issues. When appropriate, representatives from the advisory forum mentioned in Article 67 may be invited to participate as observers in these sub-groups or specific meetings. 7. The Board will be structured and function in a way that ensures its activities are objective and impartial. 8. The Board will be led by a representative from the Member States. The AI Office will provide secretarial support for the Board, organize meetings at the Chair's request, and prepare the agenda based on the Board's tasks as outlined in this Regulation and its rules of procedure. Article 66: The Board's Tasks The Board will advise and assist the Commission and Member States to ensure the consistent and effective application of this Regulation.
of this Regulation, including through the collection of relevant data and information for the purpose of fulfilling their tasks on the Board. 5. The designated representatives of the Member States shall adopt the Board’s rules of procedure by a two-thirds majority. The rules of procedure shall, in particular, lay down procedures for the selection process, the duration of the mandate of, and specifications of the tasks of, the Chair, detailed arrangements for voting, and the organisation of the Board’s activities and those of its sub-groups. 6. The Board shall establish two standing sub-groups to provide a platform for cooperation and exchange among market surveillance authorities and notifying authorities about issues related to market surveillance and notified bodies respectively. The standing sub-group for market surveillance should act as the administrative cooperation group (ADCO) for this Regulation within the meaning of Article 30 of Regulation (EU) 2019/1020. The Board may establish other standing or temporary sub-groups as appropriate for the purpose of examining specific issues. Where appropriate, representatives of the advisory forum referred to in Article 67 may be invited to such sub-groups or to specific meetings of those subgroups as observers. 7. The Board shall be organised and operated so as to safeguard the objectivity and impartiality of its activities. 8. The Board shall be chaired by one of the representatives of the Member States. The AI Office shall provide the secretariat for the Board, convene the meetings upon request of the Chair, and prepare the agenda in accordance with the tasks of the Board pursuant to this Regulation and its rules of procedure. Article 66 Tasks of the Board The Board shall advise and assist the Commission and the Member States in order to facilitate the consistent and effective application of this Regulation.
Show original text
Article 66 outlines the tasks of the Board under this Regulation. The Board's main role is to support the Commission and Member States in applying this Regulation consistently and effectively. Specifically, the Board can: (a) help coordinate national authorities responsible for enforcing this Regulation and, with the agreement of market surveillance authorities, support their joint activities; (b) gather and share technical and regulatory knowledge and best practices among Member States; (c) advise on how to implement this Regulation, especially regarding rules for general-purpose AI models; (d) help standardize administrative practices across Member States, including exceptions to conformity assessment procedures, the operation of AI regulatory sandboxes, and real-world testing; (e) issue recommendations and written opinions on relevant matters related to the Regulation's implementation, either at the Commission's request or on its own initiative. This includes advice on developing codes of conduct, evaluating the Regulation, and providing insights on technical specifications or existing standards.
tasks of the Board pursuant to this Regulation and its rules of procedure. Article 66 Tasks of the Board The Board shall advise and assist the Commission and the Member States in order to facilitate the consistent and effective application of this Regulation. To that end, the Board may in particular: (a) contribute to the coordination among national competent authorities responsible for the application of this Regulation and, in cooperation with and subject to the agreement of the market surveillance authorities concerned, support joint activities of market surveillance authorities referred to in Article 74(11); (b) collect and share technical and regulatory expertise and best practices among Member States; (c) provide advice on the implementation of this Regulation, in particular as regards the enforcement of rules on general-purpose AI models; (d) contribute to the harmonisation of administrative practices in the Member States, including in relation to the derogation from the conformity assessment procedures referred to in Article 46, the functioning of AI regulatory sandboxes, and testing in real world conditions referred to in Articles 57, 59 and 60; (e) at the request of the Commission or on its own initiative, issue recommendations and written opinions on any relevant matters related to the implementation of this Regulation and to its consistent and effective application, including: (i) on the development and application of codes of conduct and codes of practice pursuant to this Regulation, as well as of the Commission’s guidelines; (ii) the evaluation and review of this Regulation pursuant to Article 112, including as regards the serious incident reports referred to in Article 73, and the functioning of the EU database referred to in Article 71, the preparation of the delegated or implementing acts, and as regards possible alignments of this Regulation with the Union harmonisation legislation listed in Annex I; (iii) on technical specifications or existing standards regarding the requirements set out in Chapter III, Section 2; EN OJ L, 12.7.
Show original text
This Regulation aligns with the EU harmonization laws listed in Annex I. It covers: (iii) technical specifications or existing standards related to Chapter III, Section 2; (iv) the use of harmonized standards or common specifications mentioned in Articles 40 and 41; (v) trends in European competitiveness in AI, AI adoption in the EU, and the development of digital skills; (vi) trends in AI value chains and their implications for accountability; (vii) the potential need to amend Annex III as per Article 7 and possibly revise Article 5 according to Article 112, based on available evidence and technological advancements. Additionally, it aims to: (f) support the Commission in promoting AI literacy and public understanding of the benefits, risks, safeguards, and rights related to AI systems; (g) help develop common criteria and a shared understanding among market operators and authorities regarding the concepts in this Regulation, including benchmarks; (h) cooperate with other EU institutions, bodies, and relevant expert groups in areas like product safety, cybersecurity, competition, digital services, financial services, consumer protection, and data rights; (i) contribute to effective collaboration with authorities in other countries and international organizations; (j) assist national authorities and the Commission in building the necessary organizational and technical expertise for implementing this Regulation.
alignments of this Regulation with the Union harmonisation legislation listed in Annex I; (iii) on technical specifications or existing standards regarding the requirements set out in Chapter III, Section 2; EN OJ L, 12.7.2024 96/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (iv) on the use of harmonised standards or common specifications referred to in Articles 40 and 41; (v) trends, such as European global competitiveness in AI, the uptake of AI in the Union, and the development of digital skills; (vi) trends on the evolving typology of AI value chains, in particular on the resulting implications in terms of accountability; (vii) on the potential need for amendment to Annex III in accordance with Article 7, and on the potential need for possible revision of Article 5 pursuant to Article 112, taking into account relevant available evidence and the latest developments in technology; (f) support the Commission in promoting AI literacy, public awareness and understanding of the benefits, risks, safeguards and rights and obligations in relation to the use of AI systems; (g) facilitate the development of common criteria and a shared understanding among market operators and competent authorities of the relevant concepts provided for in this Regulation, including by contributing to the development of benchmarks; (h) cooperate, as appropriate, with other Union institutions, bodies, offices and agencies, as well as relevant Union expert groups and networks, in particular in the fields of product safety, cybersecurity, competition, digital and media services, financial services, consumer protection, data and fundamental rights protection; (i) contribute to effective cooperation with the competent authorities of third countries and with international organisations; (j) assist national competent authorities and the Commission in developing the organisational and technical expertise required for the implementation of this Regulation, including by contributing to the assessment of
Show original text
To ensure effective collaboration with authorities in other countries and international organizations, the following actions will be taken: (j) Support national authorities and the Commission in building the necessary organizational and technical skills for implementing this Regulation, including assessing training needs for staff in Member States. (k) Help the AI Office assist national authorities in creating and developing AI regulatory sandboxes, and promote cooperation and information sharing among these sandboxes. (l) Contribute to and provide advice on creating guidance documents. (m) Advise the Commission on international AI matters. (n) Offer opinions to the Commission regarding qualified alerts about general-purpose AI models. (o) Gather opinions from Member States on qualified alerts concerning general-purpose AI models and share national experiences and practices related to monitoring and enforcing AI systems, especially those using general-purpose AI models. Article 67 establishes an advisory forum to provide technical expertise and advice to the Board and the Commission, aiding their responsibilities under this Regulation. The forum will include a balanced mix of stakeholders from industry, start-ups, SMEs, civil society, and academia, ensuring representation of both commercial and non-commercial interests, as well as a focus on SMEs. The Commission will appoint members based on these criteria from recognized experts in the AI field.
to effective cooperation with the competent authorities of third countries and with international organisations; (j) assist national competent authorities and the Commission in developing the organisational and technical expertise required for the implementation of this Regulation, including by contributing to the assessment of training needs for staff of Member States involved in implementing this Regulation; (k) assist the AI Office in supporting national competent authorities in the establishment and development of AI regulatory sandboxes, and facilitate cooperation and information-sharing among AI regulatory sandboxes; (l) contribute to, and provide relevant advice on, the development of guidance documents; (m) advise the Commission in relation to international matters on AI; (n) provide opinions to the Commission on the qualified alerts regarding general-purpose AI models; (o) receive opinions by the Member States on qualified alerts regarding general-purpose AI models, and on national experiences and practices on the monitoring and enforcement of AI systems, in particular systems integrating the general-purpose AI models. Article 67 Advisory forum 1. An advisory forum shall be established to provide technical expertise and advise the Board and the Commission, and to contribute to their tasks under this Regulation. 2. The membership of the advisory forum shall represent a balanced selection of stakeholders, including industry, start-ups, SMEs, civil society and academia. The membership of the advisory forum shall be balanced with regard to commercial and non-commercial interests and, within the category of commercial interests, with regard to SMEs and other undertakings. 3. The Commission shall appoint the members of the advisory forum, in accordance with the criteria set out in paragraph 2, from amongst stakeholders with recognised expertise in the field of AI. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 97/144 4.
Show original text
The advisory forum will have members serving a two-year term, which can be extended for up to four additional years. Permanent members of the forum include the Fundamental Rights Agency, ENISA, the European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC), and the European Telecommunications Standards Institute (ETSI). The forum will create its own rules and elect two co-chairs from its members, who will serve for two years and can be re-elected once. The forum will meet at least twice a year and can invite experts and stakeholders to participate. It can also prepare opinions, recommendations, and written contributions when requested by the Board or the Commission. Additionally, the forum may form permanent or temporary sub-groups to address specific issues related to its objectives. An annual report on the forum's activities will be prepared and made publicly available. The Commission will establish a scientific panel of independent experts to assist with enforcement activities under this Regulation through an implementing act, which will follow the examination procedure outlined in Article 98(2).
with recognised expertise in the field of AI. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 97/144 4. The term of office of the members of the advisory forum shall be two years, which may be extended by up to no more than four years. 5. The Fundamental Rights Agency, ENISA, the European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC), and the European Telecommunications Standards Institute (ETSI) shall be permanent members of the advisory forum. 6. The advisory forum shall draw up its rules of procedure. It shall elect two co-chairs from among its members, in accordance with criteria set out in paragraph 2. The term of office of the co-chairs shall be two years, renewable once. 7. The advisory forum shall hold meetings at least twice a year. The advisory forum may invite experts and other stakeholders to its meetings. 8. The advisory forum may prepare opinions, recommendations and written contributions at the request of the Board or the Commission. 9. The advisory forum may establish standing or temporary sub-groups as appropriate for the purpose of examining specific questions related to the objectives of this Regulation. 10. The advisory forum shall prepare an annual report on its activities. That report shall be made publicly available. Article 68 Scientific panel of independent experts 1. The Commission shall, by means of an implementing act, make provisions on the establishment of a scientific panel of independent experts (the ‘scientific panel’) intended to support the enforcement activities under this Regulation. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2). 2.
Show original text
A scientific panel of independent experts, referred to as the 'scientific panel', will be established to assist with enforcing this Regulation. This panel will be created through an implementing act that follows the examination procedure outlined in Article 98(2). The panel will be made up of experts chosen by the Commission based on their current scientific or technical knowledge in the field of AI. These experts must meet the following criteria: (a) possess specific expertise and competence in AI; (b) be independent from any AI system providers or general-purpose AI models; (c) be capable of performing their duties diligently, accurately, and objectively. The Commission, in consultation with the Board, will decide how many experts are needed on the panel, ensuring fair representation in terms of gender and geography. The scientific panel will advise and support the AI Office, particularly in the following areas: (a) helping to implement and enforce this Regulation concerning general-purpose AI models and systems by: (i) notifying the AI Office about potential systemic risks of general-purpose AI models at the Union level, as per Article 90; (ii) assisting in developing tools and methods to evaluate the capabilities of general-purpose AI models and systems, including benchmarks; (iii) advising on how to classify general-purpose AI models that pose systemic risks; (iv) providing guidance on classifying various general-purpose AI models and systems.
establishment of a scientific panel of independent experts (the ‘scientific panel’) intended to support the enforcement activities under this Regulation. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2). 2. The scientific panel shall consist of experts selected by the Commission on the basis of up-to-date scientific or technical expertise in the field of AI necessary for the tasks set out in paragraph 3, and shall be able to demonstrate meeting all of the following conditions: (a) having particular expertise and competence and scientific or technical expertise in the field of AI; (b) independence from any provider of AI systems or general-purpose AI models; (c) an ability to carry out activities diligently, accurately and objectively. The Commission, in consultation with the Board, shall determine the number of experts on the panel in accordance with the required needs and shall ensure fair gender and geographical representation. 3. The scientific panel shall advise and support the AI Office, in particular with regard to the following tasks: (a) supporting the implementation and enforcement of this Regulation as regards general-purpose AI models and systems, in particular by: (i) alerting the AI Office of possible systemic risks at Union level of general-purpose AI models, in accordance with Article 90; (ii) contributing to the development of tools and methodologies for evaluating capabilities of general-purpose AI models and systems, including through benchmarks; (iii) providing advice on the classification of general-purpose AI models with systemic risk; (iv) providing advice on the classification of various general-purpose AI models and systems; EN OJ L, 12.7.
Show original text
The scientific panel will: (i) evaluate systems using benchmarks; (ii) advise on classifying general-purpose AI models that pose systemic risks; (iii) assist in classifying different general-purpose AI models and systems; (iv) help develop tools and templates; (v) support market surveillance authorities when requested; (vi) aid in cross-border market surveillance activities as outlined in Article 74(11), while respecting the authority of market surveillance bodies; and (vii) assist the AI Office in its responsibilities related to the Union safeguard procedure under Article 81. The experts on the scientific panel must work impartially and objectively, keeping all information confidential. They cannot take instructions from anyone while performing their duties. Each expert must publicly declare any interests. The AI Office will implement systems to manage and prevent conflicts of interest. The implementing act mentioned will detail the conditions and procedures for the scientific panel to issue alerts and request help from the AI Office. Member States can request support from the scientific panel's experts for their enforcement activities under this Regulation, but they may need to pay fees for the advice and support provided.
systems, including through benchmarks; (iii) providing advice on the classification of general-purpose AI models with systemic risk; (iv) providing advice on the classification of various general-purpose AI models and systems; EN OJ L, 12.7.2024 98/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (v) contributing to the development of tools and templates; (b) supporting the work of market surveillance authorities, at their request; (c) supporting cross-border market surveillance activities as referred to in Article 74(11), without prejudice to the powers of market surveillance authorities; (d) supporting the AI Office in carrying out its duties in the context of the Union safeguard procedure pursuant to Article 81. 4. The experts on the scientific panel shall perform their tasks with impartiality and objectivity, and shall ensure the confidentiality of information and data obtained in carrying out their tasks and activities. They shall neither seek nor take instructions from anyone when exercising their tasks under paragraph 3. Each expert shall draw up a declaration of interests, which shall be made publicly available. The AI Office shall establish systems and procedures to actively manage and prevent potential conflicts of interest. 5. The implementing act referred to in paragraph 1 shall include provisions on the conditions, procedures and detailed arrangements for the scientific panel and its members to issue alerts, and to request the assistance of the AI Office for the performance of the tasks of the scientific panel. Article 69 Access to the pool of experts by the Member States 1. Member States may call upon experts of the scientific panel to support their enforcement activities under this Regulation. 2. The Member States may be required to pay fees for the advice and support provided by the experts.
Show original text
Member States can request help from experts in the scientific panel to assist with enforcing this Regulation. They may need to pay fees for this expert advice, and the details about these fees and costs will be outlined in an implementing act mentioned in Article 68(1). This will consider the goals of effectively implementing the Regulation, being cost-effective, and ensuring all Member States can access experts. The Commission will help Member States access these experts promptly and will coordinate support activities from Union AI testing and experts to maximize their effectiveness. Each Member State must establish or designate at least one notifying authority and one market surveillance authority as national competent authorities for this Regulation. These authorities must operate independently and fairly to maintain objectivity in their work and ensure the Regulation is applied correctly. Members of these authorities should avoid any actions that conflict with their responsibilities. If these principles are followed, one or more designated authorities can carry out these tasks based on the Member State's needs. Member States must inform the Commission about the identities and tasks of their notifying and market surveillance authorities and any changes to this information. They should also provide public access to contact information for these authorities through electronic means by August 2, 2025.
experts by the Member States 1. Member States may call upon experts of the scientific panel to support their enforcement activities under this Regulation. 2. The Member States may be required to pay fees for the advice and support provided by the experts. The structure and the level of fees as well as the scale and structure of recoverable costs shall be set out in the implementing act referred to in Article 68(1), taking into account the objectives of the adequate implementation of this Regulation, cost-effectiveness and the necessity of ensuring effective access to experts for all Member States. 3. The Commission shall facilitate timely access to the experts by the Member States, as needed, and ensure that the combination of support activities carried out by Union AI testing support pursuant to Article 84 and experts pursuant to this Article is efficiently organised and provides the best possible added value. SECTION 2 National competent authorities Article 70 Designation of national competent authorities and single points of contact 1. Each Member State shall establish or designate as national competent authorities at least one notifying authority and at least one market surveillance authority for the purposes of this Regulation. Those national competent authorities shall exercise their powers independently, impartially and without bias so as to safeguard the objectivity of their activities and tasks, and to ensure the application and implementation of this Regulation. The members of those authorities shall refrain from any action incompatible with their duties. Provided that those principles are observed, such activities and tasks may be performed by one or more designated authorities, in accordance with the organisational needs of the Member State. 2. Member States shall communicate to the Commission the identity of the notifying authorities and the market surveillance authorities and the tasks of those authorities, as well as any subsequent changes thereto. Member States shall make publicly available information on how competent authorities and single points of contact can be contacted, through electronic communication means by 2 August 2025.
Show original text
Member States must publicly share information on how to contact their competent authorities and single points of contact by August 2, 2025. They are required to designate a market surveillance authority as the single point of contact for this Regulation and inform the Commission of its identity. The Commission will then publish a list of these contacts. Member States must ensure that their national competent authorities have enough technical, financial, and human resources, as well as the necessary infrastructure to effectively carry out their responsibilities under this Regulation. These authorities should have a sufficient number of staff with expertise in AI technologies, data protection, cybersecurity, fundamental rights, health and safety risks, and knowledge of relevant standards and legal requirements. Member States should review and update these resource and competence needs annually. National competent authorities must implement measures to maintain a high level of cybersecurity and must adhere to confidentiality obligations as outlined in Article 78. By August 2, 2025, and every two years thereafter, Member States are required to report to the Commission on the status of their national competent authorities' financial and human resources, including an evaluation of their adequacy. The Commission will share this information with the Board for discussion and potential recommendations. The Commission will also support the sharing of experiences among national competent authorities.
the tasks of those authorities, as well as any subsequent changes thereto. Member States shall make publicly available information on how competent authorities and single points of contact can be contacted, through electronic communication means by 2 August 2025. Member States shall designate a market surveillance authority to act as the single point of contact for this Regulation, and shall notify the Commission of the identity of the single point of contact. The Commission shall make a list of the single points of contact publicly available. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 99/144 3. Member States shall ensure that their national competent authorities are provided with adequate technical, financial and human resources, and with infrastructure to fulfil their tasks effectively under this Regulation. In particular, the national competent authorities shall have a sufficient number of personnel permanently available whose competences and expertise shall include an in-depth understanding of AI technologies, data and data computing, personal data protection, cybersecurity, fundamental rights, health and safety risks and knowledge of existing standards and legal requirements. Member States shall assess and, if necessary, update competence and resource requirements referred to in this paragraph on an annual basis. 4. National competent authorities shall take appropriate measures to ensure an adequate level of cybersecurity. 5. When performing their tasks, the national competent authorities shall act in accordance with the confidentiality obligations set out in Article 78. 6. By 2 August 2025, and once every two years thereafter, Member States shall report to the Commission on the status of the financial and human resources of the national competent authorities, with an assessment of their adequacy. The Commission shall transmit that information to the Board for discussion and possible recommendations. 7. The Commission shall facilitate the exchange of experience between national competent authorities. 8.
Show original text
The Commission will evaluate the resources and personnel of national authorities and share this information with the Board for discussion and potential recommendations. Additionally, the Commission will help national authorities share their experiences with each other. National authorities can offer guidance on implementing this Regulation, especially for small and medium-sized enterprises (SMEs) and start-ups, while considering advice from the Board and the Commission. If national authorities plan to give guidance on AI systems related to other EU laws, they must consult the relevant authorities for those laws. For EU institutions, bodies, offices, or agencies covered by this Regulation, the European Data Protection Supervisor will oversee their compliance. CHAPTER VIII EU DATABASE FOR HIGH-RISK AI SYSTEMS Article 71 EU Database for High-Risk AI Systems Listed in Annex III 1. The Commission, in partnership with Member States, will create and maintain an EU database that includes information about high-risk AI systems as defined in Article 6(2), which are registered according to Articles 49 and 60, as well as AI systems not classified as high-risk under Article 6(3) that are registered according to Article 6(4) and Article 49. The Commission will consult relevant experts when establishing and updating the database's specifications. 2. Providers or their authorized representatives must enter the data specified in Sections A and B of Annex VIII into the EU database.
and human resources of the national competent authorities, with an assessment of their adequacy. The Commission shall transmit that information to the Board for discussion and possible recommendations. 7. The Commission shall facilitate the exchange of experience between national competent authorities. 8. National competent authorities may provide guidance and advice on the implementation of this Regulation, in particular to SMEs including start-ups, taking into account the guidance and advice of the Board and the Commission, as appropriate. Whenever national competent authorities intend to provide guidance and advice with regard to an AI system in areas covered by other Union law, the national competent authorities under that Union law shall be consulted, as appropriate. 9. Where Union institutions, bodies, offices or agencies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as the competent authority for their supervision. CHAPTER VIII EU DATABASE FOR HIGH-RISK AI SYSTEMS Article 71 EU database for high-risk AI systems listed in Annex III 1. The Commission shall, in collaboration with the Member States, set up and maintain an EU database containing information referred to in paragraphs 2 and 3 of this Article concerning high-risk AI systems referred to in Article 6(2) which are registered in accordance with Articles 49 and 60 and AI systems that are not considered as high-risk pursuant to Article 6(3) and which are registered in accordance with Article 6(4) and Article 49. When setting the functional specifications of such database, the Commission shall consult the relevant experts, and when updating the functional specifications of such database, the Commission shall consult the Board. 2. The data listed in Sections A and B of Annex VIII shall be entered into the EU database by the provider or, where applicable, by the authorised representative. 3.
Show original text
1. The Commission will consult the Board regarding the specifications of the database. 2. The data in Sections A and B of Annex VIII must be entered into the EU database by the provider or their authorized representative. 3. The data in Section C of Annex VIII must be entered by the deployer, who represents a public authority, agency, or body, as per Article 49(3) and (4). 4. Most information in the EU database, as registered under Article 49, will be publicly accessible and easy to navigate, except for the information mentioned in Article 49(4) and Article 60(4)(c). Data registered under Article 60 will only be available to market surveillance authorities and the Commission, unless the provider consents to public access. 5. The EU database will only contain personal data that is necessary for information collection and processing, including names and contact details of individuals responsible for system registration and authorized to represent the provider or deployer. 6. The Commission will manage the EU database and provide technical and administrative support to providers and deployers, ensuring the database meets accessibility standards.
specifications of such database, the Commission shall consult the Board. 2. The data listed in Sections A and B of Annex VIII shall be entered into the EU database by the provider or, where applicable, by the authorised representative. 3. The data listed in Section C of Annex VIII shall be entered into the EU database by the deployer who is, or who acts on behalf of, a public authority, agency or body, in accordance with Article 49(3) and (4). 4. With the exception of the section referred to in Article 49(4) and Article 60(4), point (c), the information contained in the EU database registered in accordance with Article 49 shall be accessible and publicly available in a user-friendly manner. The information should be easily navigable and machine-readable. The information registered in accordance with Article 60 shall be accessible only to market surveillance authorities and the Commission, unless the prospective provider or provider has given consent for also making the information accessible the public. 5. The EU database shall contain personal data only in so far as necessary for collecting and processing information in accordance with this Regulation. That information shall include the names and contact details of natural persons who are responsible for registering the system and have the legal authority to represent the provider or the deployer, as applicable. EN OJ L, 12.7.2024 100/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 6. The Commission shall be the controller of the EU database. It shall make available to providers, prospective providers and deployers adequate technical and administrative support. The EU database shall comply with the applicable accessibility requirements.
Show original text
The Commission will manage the EU database and provide technical and administrative support to providers, potential providers, and deployers. The database must meet accessibility standards. **CHAPTER IX: POST-MARKET MONITORING, INFORMATION SHARING, AND MARKET SURVEILLANCE** **SECTION 1: Post-Market Monitoring** **Article 72: Post-Market Monitoring by Providers and Plan for High-Risk AI Systems** 1. Providers must create and document a post-market monitoring system that matches the nature and risks of high-risk AI technologies. 2. This system should actively collect, document, and analyze relevant data on the performance of high-risk AI systems throughout their lifecycle. This data can come from deployers or other sources and will help providers ensure ongoing compliance with the requirements in Chapter III, Section 2. If applicable, the monitoring should also assess how these AI systems interact with others. However, it will not include sensitive operational data from law enforcement agencies. 3. The post-market monitoring system must follow a post-market monitoring plan, which is part of the technical documentation outlined in Annex IV. The Commission will create a detailed template for this plan and specify what it should include by February 2, 2026, following the examination procedure in Article 98(2).
/1689/oj 6. The Commission shall be the controller of the EU database. It shall make available to providers, prospective providers and deployers adequate technical and administrative support. The EU database shall comply with the applicable accessibility requirements. CHAPTER IX POST-MARKET MONITORING, INFORMATION SHARING AND MARKET SURVEILLANCE SECTION 1 Post-market monitoring Article 72 Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems 1. Providers shall establish and document a post-market monitoring system in a manner that is proportionate to the nature of the AI technologies and the risks of the high-risk AI system. 2. The post-market monitoring system shall actively and systematically collect, document and analyse relevant data which may be provided by deployers or which may be collected through other sources on the performance of high-risk AI systems throughout their lifetime, and which allow the provider to evaluate the continuous compliance of AI systems with the requirements set out in Chapter III, Section 2. Where relevant, post-market monitoring shall include an analysis of the interaction with other AI systems. This obligation shall not cover sensitive operational data of deployers which are law-enforcement authorities. 3. The post-market monitoring system shall be based on a post-market monitoring plan. The post-market monitoring plan shall be part of the technical documentation referred to in Annex IV. The Commission shall adopt an implementing act laying down detailed provisions establishing a template for the post-market monitoring plan and the list of elements to be included in the plan by 2 February 2026. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2). 4.
Show original text
By February 2, 2026, a plan for post-market monitoring and a list of required elements must be established. This plan will be adopted following the examination procedure outlined in Article 98(2). For high-risk AI systems that are already covered by existing Union harmonization legislation (as listed in Section A of Annex I), providers can integrate the necessary elements from the new plan into their existing systems, as long as they maintain the same level of protection. This also applies to high-risk AI systems mentioned in point 5 of Annex III that are used by financial institutions, which must comply with Union financial services laws regarding their internal governance and processes. Section 2: Sharing Information on Serious Incidents Article 73: Reporting Serious Incidents 1. Providers of high-risk AI systems sold in the Union must report any serious incidents to the market surveillance authorities in the Member States where the incidents occurred. 2. Reports must be made immediately after the provider identifies a causal link between the AI system and the serious incident, or if there is a reasonable likelihood of such a link. Reports must be submitted no later than 15 days after the provider or deployer becomes aware of the incident, taking into account the severity of the incident. 3.
for the post-market monitoring plan and the list of elements to be included in the plan by 2 February 2026. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 98(2). 4. For high-risk AI systems covered by the Union harmonisation legislation listed in Section A of Annex I, where a post-market monitoring system and plan are already established under that legislation, in order to ensure consistency, avoid duplications and minimise additional burdens, providers shall have a choice of integrating, as appropriate, the necessary elements described in paragraphs 1, 2 and 3 using the template referred in paragraph 3 into systems and plans already existing under that legislation, provided that it achieves an equivalent level of protection. The first subparagraph of this paragraph shall also apply to high-risk AI systems referred to in point 5 of Annex III placed on the market or put into service by financial institutions that are subject to requirements under Union financial services law regarding their internal governance, arrangements or processes. SECTION 2 Sharing of information on serious incidents Article 73 Reporting of serious incidents 1. Providers of high-risk AI systems placed on the Union market shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 101/144 2. The report referred to in paragraph 1 shall be made immediately after the provider has established a causal link between the AI system and the serious incident or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the provider or, where applicable, the deployer, becomes aware of the serious incident. The period for the reporting referred to in the first subparagraph shall take account of the severity of the serious incident. 3.
Show original text
Providers or deployers must report serious incidents within 15 days of becoming aware of them, considering the incident's severity. However, if there is a widespread infringement or a serious incident as defined in Article 3, point (49)(b), the report must be made immediately and no later than 2 days after awareness. In cases of a person's death, the report should be made immediately upon establishing or suspecting a link between the high-risk AI system and the incident, but no later than 10 days after awareness. Providers or deployers can submit an initial incomplete report if necessary, followed by a complete one. After reporting a serious incident, the provider must promptly investigate the incident and the AI system involved, including conducting a risk assessment and taking corrective actions. They must cooperate with relevant authorities during these investigations and cannot alter the AI system in a way that could affect the evaluation of the incident's causes without informing the authorities first.
, not later than 15 days after the provider or, where applicable, the deployer, becomes aware of the serious incident. The period for the reporting referred to in the first subparagraph shall take account of the severity of the serious incident. 3. Notwithstanding paragraph 2 of this Article, in the event of a widespread infringement or a serious incident as defined in Article 3, point (49)(b), the report referred to in paragraph 1 of this Article shall be provided immediately, and not later than two days after the provider or, where applicable, the deployer becomes aware of that incident. 4. Notwithstanding paragraph 2, in the event of the death of a person, the report shall be provided immediately after the provider or the deployer has established, or as soon as it suspects, a causal relationship between the high-risk AI system and the serious incident, but not later than 10 days after the date on which the provider or, where applicable, the deployer becomes aware of the serious incident. 5. Where necessary to ensure timely reporting, the provider or, where applicable, the deployer, may submit an initial report that is incomplete, followed by a complete report. 6. Following the reporting of a serious incident pursuant to paragraph 1, the provider shall, without delay, perform the necessary investigations in relation to the serious incident and the AI system concerned. This shall include a risk assessment of the incident, and corrective action. The provider shall cooperate with the competent authorities, and where relevant with the notified body concerned, during the investigations referred to in the first subparagraph, and shall not perform any investigation which involves altering the AI system concerned in a way which may affect any subsequent evaluation of the causes of the incident, prior to informing the competent authorities of such action. 7.
Show original text
Before making any changes to an AI system that could affect future investigations, the responsible party must inform the relevant authorities. When a serious incident occurs, as defined in Article 3, point (49)(c), the market surveillance authority must notify the national public authorities mentioned in Article 77(1). The Commission will create specific guidance to help ensure compliance with these requirements, which will be available by August 2, 2025, and will be reviewed regularly. The market surveillance authority is required to take necessary actions within seven days of receiving the incident notification, following the procedures outlined in Regulation (EU) 2019/1020. For high-risk AI systems listed in Annex III that are marketed by providers under EU laws with similar reporting requirements, notifications of serious incidents will only include those specified in Article 3, point (49)(c). For high-risk AI systems that are safety components of devices or are devices themselves, as covered by Regulations (EU) 2017/745 and (EU) 2017/746, notifications of serious incidents will also be limited to those in Article 3, point (49)(c) and must be sent to the national authority designated by the Member States where the incident took place.
referred to in the first subparagraph, and shall not perform any investigation which involves altering the AI system concerned in a way which may affect any subsequent evaluation of the causes of the incident, prior to informing the competent authorities of such action. 7. Upon receiving a notification related to a serious incident referred to in Article 3, point (49)(c), the relevant market surveillance authority shall inform the national public authorities or bodies referred to in Article 77(1). The Commission shall develop dedicated guidance to facilitate compliance with the obligations set out in paragraph 1 of this Article. That guidance shall be issued by 2 August 2025, and shall be assessed regularly. 8. The market surveillance authority shall take appropriate measures, as provided for in Article 19 of Regulation (EU) 2019/1020, within seven days from the date it received the notification referred to in paragraph 1 of this Article, and shall follow the notification procedures as provided in that Regulation. 9. For high-risk AI systems referred to in Annex III that are placed on the market or put into service by providers that are subject to Union legislative instruments laying down reporting obligations equivalent to those set out in this Regulation, the notification of serious incidents shall be limited to those referred to in Article 3, point (49)(c). 10. For high-risk AI systems which are safety components of devices, or are themselves devices, covered by Regulations (EU) 2017/745 and (EU) 2017/746, the notification of serious incidents shall be limited to those referred to in Article 3, point (49)(c) of this Regulation, and shall be made to the national competent authority chosen for that purpose by the Member States where the incident occurred. 11.
Show original text
Serious incidents are limited to those specified in Article 3, point (49)(c) of this Regulation and must be reported to the national authority designated by the Member States where the incident took place. National authorities must promptly inform the Commission about any serious incident, regardless of whether they have taken action, as per Article 20 of Regulation (EU) 2019/1020. SECTION 3 Enforcement Article 74 Market Surveillance and Control of AI Systems in the Union Market 1. Regulation (EU) 2019/1020 applies to AI systems covered by this Regulation. For effective enforcement: (a) Any mention of an economic operator in Regulation (EU) 2019/1020 includes all operators listed in Article 2(1) of this Regulation. (b) Any mention of a product in Regulation (EU) 2019/1020 includes all AI systems within the scope of this Regulation. 2. Market surveillance authorities must report annually to the Commission and relevant national competition authorities any findings from market surveillance that could impact Union competition law. They must also report yearly on any prohibited practices that occurred and the actions taken in response.
serious incidents shall be limited to those referred to in Article 3, point (49)(c) of this Regulation, and shall be made to the national competent authority chosen for that purpose by the Member States where the incident occurred. 11. National competent authorities shall immediately notify the Commission of any serious incident, whether or not they have taken action on it, in accordance with Article 20 of Regulation (EU) 2019/1020. SECTION 3 Enforcement Article 74 Market surveillance and control of AI systems in the Union market 1. Regulation (EU) 2019/1020 shall apply to AI systems covered by this Regulation. For the purposes of the effective enforcement of this Regulation: EN OJ L, 12.7.2024 102/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (a) any reference to an economic operator under Regulation (EU) 2019/1020 shall be understood as including all operators identified in Article 2(1) of this Regulation; (b) any reference to a product under Regulation (EU) 2019/1020 shall be understood as including all AI systems falling within the scope of this Regulation. 2. As part of their reporting obligations under Article 34(4) of Regulation (EU) 2019/1020, the market surveillance authorities shall report annually to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union law on competition rules. They shall also annually report to the Commission about the use of prohibited practices that occurred during that year and about the measures taken. 3.
Show original text
Market surveillance authorities will monitor activities that may relate to EU competition laws and must report annually to the Commission on any prohibited practices and the actions taken against them. For high-risk AI systems linked to products under EU harmonization laws listed in Section A of Annex I, the designated market surveillance authority will be the one specified in those laws. However, Member States can appoint a different authority if they coordinate with the relevant sectoral authorities. The procedures outlined in Articles 79 to 83 of this Regulation do not apply to AI systems related to these products if the existing laws already provide similar protections. In such cases, the specific sectoral procedures will be followed. Additionally, market surveillance authorities can use certain powers remotely to enforce this Regulation effectively, as outlined in Article 14 of Regulation (EU) 2019/1020.
course of market surveillance activities that may be of potential interest for the application of Union law on competition rules. They shall also annually report to the Commission about the use of prohibited practices that occurred during that year and about the measures taken. 3. For high-risk AI systems related to products covered by the Union harmonisation legislation listed in Section A of Annex I, the market surveillance authority for the purposes of this Regulation shall be the authority responsible for market surveillance activities designated under those legal acts. By derogation from the first subparagraph, and in appropriate circumstances, Member States may designate another relevant authority to act as a market surveillance authority, provided they ensure coordination with the relevant sectoral market surveillance authorities responsible for the enforcement of the Union harmonisation legislation listed in Annex I. 4. The procedures referred to in Articles 79 to 83 of this Regulation shall not apply to AI systems related to products covered by the Union harmonisation legislation listed in section A of Annex I, where such legal acts already provide for procedures ensuring an equivalent level of protection and having the same objective. In such cases, the relevant sectoral procedures shall apply instead. 5. Without prejudice to the powers of market surveillance authorities under Article 14 of Regulation (EU) 2019/1020, for the purpose of ensuring the effective enforcement of this Regulation, market surveillance authorities may exercise the powers referred to in Article 14(4), points (d) and (j), of that Regulation remotely, as appropriate. 6.
Show original text
To ensure effective enforcement of this Regulation, market surveillance authorities can use the powers mentioned in Article 14(4), points (d) and (j), remotely when appropriate. For high-risk AI systems used by financial institutions regulated by EU financial services law, the relevant national authority responsible for supervising these institutions will act as the market surveillance authority, as long as the AI system's use is directly related to providing financial services. However, in certain situations and with proper coordination, a different authority may be designated by the Member State as the market surveillance authority. National market surveillance authorities overseeing regulated credit institutions under Directive 2013/36/EU, which are part of the Single Supervisory Mechanism established by Regulation (EU) No 1024/2013, must promptly report any relevant information from their market surveillance activities to the European Central Bank, as it may be important for the Bank's supervisory tasks. For high-risk AI systems used in law enforcement, border management, and justice, as well as those listed in points 6, 7, and 8 of Annex III, Member States must designate either the competent data protection supervisory authorities under Regulation (EU) 2016/679 or Directive (EU) 2016/680, or another designated authority as the market surveillance authority.
0, for the purpose of ensuring the effective enforcement of this Regulation, market surveillance authorities may exercise the powers referred to in Article 14(4), points (d) and (j), of that Regulation remotely, as appropriate. 6. For high-risk AI systems placed on the market, put into service, or used by financial institutions regulated by Union financial services law, the market surveillance authority for the purposes of this Regulation shall be the relevant national authority responsible for the financial supervision of those institutions under that legislation in so far as the placing on the market, putting into service, or the use of the AI system is in direct connection with the provision of those financial services. 7. By way of derogation from paragraph 6, in appropriate circumstances, and provided that coordination is ensured, another relevant authority may be identified by the Member State as market surveillance authority for the purposes of this Regulation. National market surveillance authorities supervising regulated credit institutions regulated under Directive 2013/36/EU, which are participating in the Single Supervisory Mechanism established by Regulation (EU) No 1024/2013, should report, without delay, to the European Central Bank any information identified in the course of their market surveillance activities that may be of potential interest for the prudential supervisory tasks of the European Central Bank specified in that Regulation. 8. For high-risk AI systems listed in point 1 of Annex III to this Regulation, in so far as the systems are used for law enforcement purposes, border management and justice and democracy, and for high-risk AI systems listed in points 6, 7 and 8 of Annex III to this Regulation, Member States shall designate as market surveillance authorities for the purposes of this Regulation either the competent data protection supervisory authorities under Regulation (EU) 2016/679 or Directive (EU) 2016/680, or any other authority designated pursuant to
Show original text
Market surveillance authorities for this Regulation will be either the data protection supervisory authorities under Regulation (EU) 2016/679 or Directive (EU) 2016/680, or any other authority designated according to Articles 41 to 44 of Directive (EU) 2016/680. These market surveillance activities will not interfere with the independence of judicial authorities or their judicial functions. For Union institutions, bodies, offices, or agencies covered by this Regulation, the European Data Protection Supervisor will serve as the market surveillance authority, except for the Court of Justice of the European Union when it is acting in its judicial capacity. Member States must help coordinate between the designated market surveillance authorities and other relevant national authorities that oversee the application of Union harmonization legislation listed in Annex I or other Union laws related to high-risk AI systems mentioned in Annex III. Market surveillance authorities and the Commission can propose joint activities, including joint investigations, to ensure compliance, identify non-compliance, raise awareness, or provide guidance regarding this Regulation for specific high-risk AI systems that pose serious risks across multiple Member States, as outlined in Article 9 of Regulation (EU) 2019/1020. The AI Office will support coordination for these joint investigations.
shall designate as market surveillance authorities for the purposes of this Regulation either the competent data protection supervisory authorities under Regulation (EU) 2016/679 or Directive (EU) 2016/680, or any other authority designated pursuant to the same conditions laid down in Articles 41 to 44 of Directive (EU) 2016/680. Market surveillance activities shall in no way affect the independence of judicial authorities, or otherwise interfere with their activities when acting in their judicial capacity. 9. Where Union institutions, bodies, offices or agencies fall within the scope of this Regulation, the European Data Protection Supervisor shall act as their market surveillance authority, except in relation to the Court of Justice of the European Union acting in its judicial capacity. 10. Member States shall facilitate coordination between market surveillance authorities designated under this Regulation and other relevant national authorities or bodies which supervise the application of Union harmonisation legislation listed in Annex I, or in other Union law, that might be relevant for the high-risk AI systems referred to in Annex III. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 103/144 11. Market surveillance authorities and the Commission shall be able to propose joint activities, including joint investigations, to be conducted by either market surveillance authorities or market surveillance authorities jointly with the Commission, that have the aim of promoting compliance, identifying non-compliance, raising awareness or providing guidance in relation to this Regulation with respect to specific categories of high-risk AI systems that are found to present a serious risk across two or more Member States in accordance with Article 9 of Regulation (EU) 2019/1020. The AI Office shall provide coordination support for joint investigations. 12.
Show original text
- High-risk AI systems that pose a serious risk in two or more Member States, as defined in Article 9 of Regulation (EU) 2019/1020, will be coordinated by the AI Office for joint investigations. - Market surveillance authorities will have full access to the documentation, training, validation, and testing data used to develop high-risk AI systems. This access may include remote access through APIs or other technical means, as long as it is necessary for their tasks and complies with security measures. - Authorities can request access to the source code of high-risk AI systems if two conditions are met: (a) the source code is needed to check if the AI system meets the requirements in Chapter III, Section 2, and (b) all other testing and auditing methods using the provided data and documentation have been exhausted or found inadequate. - Any information obtained by market surveillance authorities must be kept confidential according to Article 78. - For AI systems based on general-purpose AI models developed by the same provider, the AI Office has the authority to monitor and ensure compliance with this Regulation. The AI Office will have all the powers of a market surveillance authority as outlined in this Section and Regulation (EU) 2019/1020.
-risk AI systems that are found to present a serious risk across two or more Member States in accordance with Article 9 of Regulation (EU) 2019/1020. The AI Office shall provide coordination support for joint investigations. 12. Without prejudice to the powers provided for under Regulation (EU) 2019/1020, and where relevant and limited to what is necessary to fulfil their tasks, the market surveillance authorities shall be granted full access by providers to the documentation as well as the training, validation and testing data sets used for the development of high-risk AI systems, including, where appropriate and subject to security safeguards, through application programming interfaces (API) or other relevant technical means and tools enabling remote access. 13. Market surveillance authorities shall be granted access to the source code of the high-risk AI system upon a reasoned request and only when both of the following conditions are fulfilled: (a) access to source code is necessary to assess the conformity of a high-risk AI system with the requirements set out in Chapter III, Section 2; and (b) testing or auditing procedures and verifications based on the data and documentation provided by the provider have been exhausted or proved insufficient. 14. Any information or documentation obtained by market surveillance authorities shall be treated in accordance with the confidentiality obligations set out in Article 78. Article 75 Mutual assistance, market surveillance and control of general-purpose AI systems 1. Where an AI system is based on a general-purpose AI model, and the model and the system are developed by the same provider, the AI Office shall have powers to monitor and supervise compliance of that AI system with obligations under this Regulation. To carry out its monitoring and supervision tasks, the AI Office shall have all the powers of a market surveillance authority provided for in this Section and Regulation (EU) 2019/1020. 2.
Show original text
The AI Office has the authority to monitor and supervise compliance with this Regulation, similar to a market surveillance authority as outlined in Regulation (EU) 2019/1020. If market surveillance authorities believe that general-purpose AI systems, which can be used for high-risk purposes, are not meeting the requirements of this Regulation, they must work with the AI Office to evaluate compliance and inform the Board and other authorities. If a market surveillance authority cannot complete its investigation of a high-risk AI system due to lack of access to necessary information, it can request the AI Office to enforce access to that information. The AI Office must then provide relevant information within 30 days to help determine compliance. Authorities must keep this information confidential as per Article 78 of this Regulation. The procedures from Chapter VI of Regulation (EU) 2019/1020 will also apply. Additionally, market surveillance authorities have the power to ensure that real-world testing complies with this Regulation.
with obligations under this Regulation. To carry out its monitoring and supervision tasks, the AI Office shall have all the powers of a market surveillance authority provided for in this Section and Regulation (EU) 2019/1020. 2. Where the relevant market surveillance authorities have sufficient reason to consider general-purpose AI systems that can be used directly by deployers for at least one purpose that is classified as high-risk pursuant to this Regulation to be non-compliant with the requirements laid down in this Regulation, they shall cooperate with the AI Office to carry out compliance evaluations, and shall inform the Board and other market surveillance authorities accordingly. 3. Where a market surveillance authority is unable to conclude its investigation of the high-risk AI system because of its inability to access certain information related to the general-purpose AI model despite having made all appropriate efforts to obtain that information, it may submit a reasoned request to the AI Office, by which access to that information shall be enforced. In that case, the AI Office shall supply to the applicant authority without delay, and in any event within 30 days, any information that the AI Office considers to be relevant in order to establish whether a high-risk AI system is non-compliant. Market surveillance authorities shall safeguard the confidentiality of the information that they obtain in accordance with Article 78 of this Regulation. The procedure provided for in Chapter VI of Regulation (EU) 2019/1020 shall apply mutatis mutandis. Article 76 Supervision of testing in real world conditions by market surveillance authorities 1. Market surveillance authorities shall have competences and powers to ensure that testing in real world conditions is in accordance with this Regulation. EN OJ L, 12.7.2024 104/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 2.
Show original text
According to this regulation, when AI systems are tested in real-world conditions within an AI regulatory sandbox as outlined in Article 58, market surveillance authorities will check for compliance with Article 60 as part of their oversight. These authorities may allow the provider or potential provider to conduct real-world testing, even if it doesn't fully meet the conditions in Article 60(4), points (f) and (g). If a market surveillance authority learns from the provider, potential provider, or a third party about a serious incident, or if they believe the conditions in Articles 60 and 61 are not being met, they can decide to either: (a) suspend or end the real-world testing, or (b) require changes to the testing process. If a market surveillance authority makes such a decision or raises an objection as per Article 60(4), point (b), they must explain the reasons for their decision and how the provider can appeal it. Additionally, if applicable, the authority must inform other Member States' market surveillance authorities about the reasons for their decision if the AI system has been tested in those countries according to the testing plan.
in accordance with this Regulation. EN OJ L, 12.7.2024 104/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 2. Where testing in real world conditions is conducted for AI systems that are supervised within an AI regulatory sandbox under Article 58, the market surveillance authorities shall verify the compliance with Article 60 as part of their supervisory role for the AI regulatory sandbox. Those authorities may, as appropriate, allow the testing in real world conditions to be conducted by the provider or prospective provider, in derogation from the conditions set out in Article 60(4), points (f) and (g). 3. Where a market surveillance authority has been informed by the prospective provider, the provider or any third party of a serious incident or has other grounds for considering that the conditions set out in Articles 60 and 61 are not met, it may take either of the following decisions on its territory, as appropriate: (a) to suspend or terminate the testing in real world conditions; (b) to require the provider or prospective provider and the deployer or prospective deployer to modify any aspect of the testing in real world conditions. 4. Where a market surveillance authority has taken a decision referred to in paragraph 3 of this Article, or has issued an objection within the meaning of Article 60(4), point (b), the decision or the objection shall indicate the grounds therefor and how the provider or prospective provider can challenge the decision or objection. 5. Where applicable, where a market surveillance authority has taken a decision referred to in paragraph 3, it shall communicate the grounds therefor to the market surveillance authorities of other Member States in which the AI system has been tested in accordance with the testing plan. Article 77 Powers of authorities protecting fundamental rights 1.
Show original text
Article 77 outlines the powers of national authorities that protect fundamental rights in relation to high-risk AI systems. These authorities can request and access any relevant documents created under this regulation, provided they are in an accessible format. They must inform the market surveillance authority of any such requests. By November 2, 2024, each Member State must identify and publicly list these authorities, notifying both the European Commission and other Member States, and keep the list updated. If the available documentation is not enough to determine if there has been a violation of fundamental rights, the authority can request the market surveillance authority to conduct technical testing of the AI system. This testing will be organized promptly and in collaboration with the requesting authority. Any information obtained must be kept confidential as per Article 78.
3, it shall communicate the grounds therefor to the market surveillance authorities of other Member States in which the AI system has been tested in accordance with the testing plan. Article 77 Powers of authorities protecting fundamental rights 1. National public authorities or bodies which supervise or enforce the respect of obligations under Union law protecting fundamental rights, including the right to non-discrimination, in relation to the use of high-risk AI systems referred to in Annex III shall have the power to request and access any documentation created or maintained under this Regulation in accessible language and format when access to that documentation is necessary for effectively fulfilling their mandates within the limits of their jurisdiction. The relevant public authority or body shall inform the market surveillance authority of the Member State concerned of any such request. 2. By 2 November 2024, each Member State shall identify the public authorities or bodies referred to in paragraph 1 and make a list of them publicly available. Member States shall notify the list to the Commission and to the other Member States, and shall keep the list up to date. 3. Where the documentation referred to in paragraph 1 is insufficient to ascertain whether an infringement of obligations under Union law protecting fundamental rights has occurred, the public authority or body referred to in paragraph 1 may make a reasoned request to the market surveillance authority, to organise testing of the high-risk AI system through technical means. The market surveillance authority shall organise the testing with the close involvement of the requesting public authority or body within a reasonable time following the request. 4. Any information or documentation obtained by the national public authorities or bodies referred to in paragraph 1 of this Article pursuant to this Article shall be treated in accordance with the confidentiality obligations set out in Article 78. Article 78 Confidentiality 1.
Show original text
Any information or documents obtained by national public authorities mentioned in paragraph 1 of this Article must be handled according to the confidentiality rules outlined in Article 78. Article 78 - Confidentiality 1. The Commission, market surveillance authorities, notified bodies, and any other individuals or organizations involved in enforcing this Regulation must keep information and data confidential, as required by Union or national law. This confidentiality is especially important for: (a) protecting intellectual property rights and confidential business information, including trade secrets and source code, except in specific cases mentioned in Article 5 of Directive (EU) 2016/943; (b) ensuring the effective enforcement of this Regulation, particularly during inspections, investigations, or audits; (c) safeguarding public and national security; (d) managing criminal or administrative proceedings; (e) handling classified information under Union or national law. 2. The authorities applying this Regulation will only request data that is essential for assessing the risks of AI systems and for exercising their powers under this Regulation and Regulation (EU) 2019/1020. They will implement strong cybersecurity measures to protect the confidentiality and security of the information collected and will delete any data as soon as it is no longer needed, following applicable Union or national laws. 3.
or documentation obtained by the national public authorities or bodies referred to in paragraph 1 of this Article pursuant to this Article shall be treated in accordance with the confidentiality obligations set out in Article 78. Article 78 Confidentiality 1. The Commission, market surveillance authorities and notified bodies and any other natural or legal person involved in the application of this Regulation shall, in accordance with Union or national law, respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular: OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 105/144 (a) the intellectual property rights and confidential business information or trade secrets of a natural or legal person, including source code, except in the cases referred to in Article 5 of Directive (EU) 2016/943 of the European Parliament and of the Council (57); (b) the effective implementation of this Regulation, in particular for the purposes of inspections, investigations or audits; (c) public and national security interests; (d) the conduct of criminal or administrative proceedings; (e) information classified pursuant to Union or national law. 2. The authorities involved in the application of this Regulation pursuant to paragraph 1 shall request only data that is strictly necessary for the assessment of the risk posed by AI systems and for the exercise of their powers in accordance with this Regulation and with Regulation (EU) 2019/1020. They shall put in place adequate and effective cybersecurity measures to protect the security and confidentiality of the information and data obtained, and shall delete the data collected as soon as it is no longer needed for the purpose for which it was obtained, in accordance with applicable Union or national law. 3.
Show original text
Measures will be taken to ensure the security and confidentiality of the information and data collected. This data will be deleted as soon as it is no longer needed, following applicable Union or national laws. Additionally, any confidential information shared between national authorities or between these authorities and the Commission cannot be disclosed without first consulting the originating authority and the deployer. This is especially important when high-risk AI systems, as mentioned in points 1, 6, or 7 of Annex III, are used by law enforcement, border control, immigration, or asylum authorities, and when such disclosure could threaten public or national security. This information exchange will not include sensitive operational data related to these authorities' activities. If law enforcement, immigration, or asylum authorities provide high-risk AI systems mentioned in points 1, 6, or 7 of Annex III, the technical documentation must remain on their premises. These authorities must allow market surveillance authorities, as outlined in Article 74(8) and (9), to access this documentation or obtain copies upon request. Only staff from the market surveillance authority with the necessary security clearance can access this documentation or copies of it. The rights and obligations of the Commission, Member States, and their relevant authorities, as well as notified bodies, regarding information exchange and warning dissemination, especially in cross-border cooperation, remain unchanged. This also does not affect the obligations of the parties involved to provide information under the criminal laws of the Member States.
measures to protect the security and confidentiality of the information and data obtained, and shall delete the data collected as soon as it is no longer needed for the purpose for which it was obtained, in accordance with applicable Union or national law. 3. Without prejudice to paragraphs 1 and 2, information exchanged on a confidential basis between the national competent authorities or between national competent authorities and the Commission shall not be disclosed without prior consultation of the originating national competent authority and the deployer when high-risk AI systems referred to in point 1, 6 or 7 of Annex III are used by law enforcement, border control, immigration or asylum authorities and when such disclosure would jeopardise public and national security interests. This exchange of information shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities. When the law enforcement, immigration or asylum authorities are providers of high-risk AI systems referred to in point 1, 6 or 7 of Annex III, the technical documentation referred to in Annex IV shall remain within the premises of those authorities. Those authorities shall ensure that the market surveillance authorities referred to in Article 74(8) and (9), as applicable, can, upon request, immediately access the documentation or obtain a copy thereof. Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access that documentation or any copy thereof. 4. Paragraphs 1, 2 and 3 shall not affect the rights or obligations of the Commission, Member States and their relevant authorities, as well as those of notified bodies, with regard to the exchange of information and the dissemination of warnings, including in the context of cross-border cooperation, nor shall they affect the obligations of the parties concerned to provide information under criminal law of the Member States. 5.
Show original text
Notified bodies are responsible for sharing information and warnings, especially in cross-border situations, without affecting the legal obligations of the parties involved to provide information under the criminal laws of Member States. The Commission and Member States can exchange confidential information with regulatory authorities in third countries, as long as there are confidentiality agreements in place that ensure adequate protection. Article 79 outlines the process for handling AI systems that pose risks. These AI systems are considered 'products presenting a risk' as defined in Article 3, point 19 of Regulation (EU) 2019/1020, if they threaten health, safety, or fundamental rights. If a Member State's market surveillance authority believes an AI system is risky, it must evaluate the system to ensure it meets all regulatory requirements. Special attention will be given to AI systems that may harm vulnerable groups. If any risks to fundamental rights are found, the market surveillance authority will inform and cooperate with the relevant national authorities. Operators must also cooperate with the market surveillance authority and other national bodies.
notified bodies, with regard to the exchange of information and the dissemination of warnings, including in the context of cross-border cooperation, nor shall they affect the obligations of the parties concerned to provide information under criminal law of the Member States. 5. The Commission and Member States may exchange, where necessary and in accordance with relevant provisions of international and trade agreements, confidential information with regulatory authorities of third countries with which they have concluded bilateral or multilateral confidentiality arrangements guaranteeing an adequate level of confidentiality. Article 79 Procedure at national level for dealing with AI systems presenting a risk 1. AI systems presenting a risk shall be understood as a ‘product presenting a risk’ as defined in Article 3, point 19 of Regulation (EU) 2019/1020, in so far as they present risks to the health or safety, or to fundamental rights, of persons. 2. Where the market surveillance authority of a Member State has sufficient reason to consider an AI system to present a risk as referred to in paragraph 1 of this Article, it shall carry out an evaluation of the AI system concerned in respect of its compliance with all the requirements and obligations laid down in this Regulation. Particular attention shall be given to AI systems presenting a risk to vulnerable groups. Where risks to fundamental rights are identified, the market surveillance authority shall also inform and fully cooperate with the relevant national public authorities or bodies referred to in Article 77(1). The relevant operators shall cooperate as necessary with the market surveillance authority and with the other national public authorities or bodies referred to in Article 77(1). EN OJ L, 12.7.
Show original text
According to Article 77(1), relevant operators must work together with the market surveillance authority and other national public authorities mentioned in the same article. Directive (EU) 2016/943, established on June 8, 2016, protects trade secrets from illegal acquisition, use, and disclosure. If the market surveillance authority, or the authority working with it, finds that an AI system does not meet the required standards, it must quickly instruct the operator to take corrective actions. This could include making the AI system compliant, withdrawing it from the market, or recalling it within a specified time frame, which cannot exceed 15 working days or the time set by relevant EU legislation. The market surveillance authority will notify the appropriate body about these actions. If the authority believes the non-compliance issue affects more than just its own country, it must promptly inform the European Commission and other Member States about the evaluation results and the required actions.
to in Article 77(1). The relevant operators shall cooperate as necessary with the market surveillance authority and with the other national public authorities or bodies referred to in Article 77(1). EN OJ L, 12.7.2024 106/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (57) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1). Where, in the course of that evaluation, the market surveillance authority or, where applicable the market surveillance authority in cooperation with the national public authority referred to in Article 77(1), finds that the AI system does not comply with the requirements and obligations laid down in this Regulation, it shall without undue delay require the relevant operator to take all appropriate corrective actions to bring the AI system into compliance, to withdraw the AI system from the market, or to recall it within a period the market surveillance authority may prescribe, and in any event within the shorter of 15 working days, or as provided for in the relevant Union harmonisation legislation. The market surveillance authority shall inform the relevant notified body accordingly. Article 18 of Regulation (EU) 2019/1020 shall apply to the measures referred to in the second subparagraph of this paragraph. 3. Where the market surveillance authority considers that the non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States without undue delay of the results of the evaluation and of the actions which it has required the operator to take. 4.
Show original text
If a country finds that an AI system is not compliant with regulations, it must quickly inform the European Commission and other Member States about the evaluation results and the actions it has required from the operator. The operator is responsible for taking corrective actions for all AI systems it has made available in the EU market. If the operator fails to take adequate corrective action within the specified time, the market surveillance authority can take necessary temporary measures. These measures may include prohibiting or restricting the AI system's availability in the national market, withdrawing the product, or recalling it. The authority must promptly notify the Commission and other Member States about these actions. This notification should include details such as the identification of the non-compliant AI system, its origin, the supply chain, the nature of the non-compliance, the risks involved, the duration of the national measures taken, and the operator's arguments. The market surveillance authorities should specify if the non-compliance is due to: (a) violations of prohibited AI practices, (b) a high-risk AI system not meeting required standards, (c) issues with harmonized standards or specifications, or (d) violations of Article 50.
considers that the non-compliance is not restricted to its national territory, it shall inform the Commission and the other Member States without undue delay of the results of the evaluation and of the actions which it has required the operator to take. 4. The operator shall ensure that all appropriate corrective action is taken in respect of all the AI systems concerned that it has made available on the Union market. 5. Where the operator of an AI system does not take adequate corrective action within the period referred to in paragraph 2, the market surveillance authority shall take all appropriate provisional measures to prohibit or restrict the AI system’s being made available on its national market or put into service, to withdraw the product or the standalone AI system from that market or to recall it. That authority shall without undue delay notify the Commission and the other Member States of those measures. 6. The notification referred to in paragraph 5 shall include all available details, in particular the information necessary for the identification of the non-compliant AI system, the origin of the AI system and the supply chain, the nature of the non-compliance alleged and the risk involved, the nature and duration of the national measures taken and the arguments put forward by the relevant operator. In particular, the market surveillance authorities shall indicate whether the non-compliance is due to one or more of the following: (a) non-compliance with the prohibition of the AI practices referred to in Article 5; (b) a failure of a high-risk AI system to meet requirements set out in Chapter III, Section 2; (c) shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 conferring a presumption of conformity; (d) non-compliance with Article 50. 7.
Show original text
According to Chapter III, Section 2, there are several reasons for non-compliance, including: (c) issues with the harmonised standards or common specifications mentioned in Articles 40 and 41 that suggest conformity; (d) failure to comply with Article 50. 7. Market surveillance authorities, other than the one from the Member State that started the procedure, must quickly inform the Commission and other Member States about any actions taken and any additional information they have regarding the non-compliance of the AI system. They should also share any objections if they disagree with the national measure that was notified. 8. If no objections are raised by a market surveillance authority or the Commission within three months of receiving the notification mentioned in paragraph 5, the provisional measure taken by another Member State's authority will be considered justified. This does not affect the procedural rights of the operator as outlined in Article 18 of Regulation (EU) 2019/1020. If there is non-compliance with the AI practices prohibited in Article 5, this three-month period is shortened to 30 days. 9. Market surveillance authorities must take appropriate actions, such as withdrawing the product or AI system from the market, without delay. Article 80 outlines the procedure for handling AI systems that the provider has classified as non-high-risk according to Annex III.
set out in Chapter III, Section 2; (c) shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 conferring a presumption of conformity; (d) non-compliance with Article 50. 7. The market surveillance authorities other than the market surveillance authority of the Member State initiating the procedure shall, without undue delay, inform the Commission and the other Member States of any measures adopted and of any additional information at their disposal relating to the non-compliance of the AI system concerned, and, in the event of disagreement with the notified national measure, of their objections. 8. Where, within three months of receipt of the notification referred to in paragraph 5 of this Article, no objection has been raised by either a market surveillance authority of a Member State or by the Commission in respect of a provisional measure taken by a market surveillance authority of another Member State, that measure shall be deemed justified. This shall be without prejudice to the procedural rights of the concerned operator in accordance with Article 18 of Regulation (EU) 2019/1020. The three-month period referred to in this paragraph shall be reduced to 30 days in the event of non-compliance with the prohibition of the AI practices referred to in Article 5 of this Regulation. 9. The market surveillance authorities shall ensure that appropriate restrictive measures are taken in respect of the product or the AI system concerned, such as withdrawal of the product or the AI system from their market, without undue delay. Article 80 Procedure for dealing with AI systems classified by the provider as non-high-risk in application of Annex III 1.
Show original text
If a market surveillance authority believes that an AI system, which the provider classified as non-high-risk, is actually high-risk, it will evaluate the system based on the criteria in Article 6(3) and the Commission's guidelines. If the authority determines that the AI system is indeed high-risk, it will promptly require the provider to take necessary actions to ensure compliance with the regulations and to implement corrective measures within a specified timeframe. If the AI system's use extends beyond the national territory, the authority will inform the Commission and other Member States about the evaluation results and the required actions. The provider must ensure compliance with the regulations. If the provider fails to comply within the given timeframe, they may face fines as outlined in Article 99.
the AI system concerned, such as withdrawal of the product or the AI system from their market, without undue delay. Article 80 Procedure for dealing with AI systems classified by the provider as non-high-risk in application of Annex III 1. Where a market surveillance authority has sufficient reason to consider that an AI system classified by the provider as non-high-risk pursuant to Article 6(3) is indeed high-risk, the market surveillance authority shall carry out an evaluation of the AI system concerned in respect of its classification as a high-risk AI system based on the conditions set out in Article 6(3) and the Commission guidelines. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 107/144 2. Where, in the course of that evaluation, the market surveillance authority finds that the AI system concerned is high-risk, it shall without undue delay require the relevant provider to take all necessary actions to bring the AI system into compliance with the requirements and obligations laid down in this Regulation, as well as take appropriate corrective action within a period the market surveillance authority may prescribe. 3. Where the market surveillance authority considers that the use of the AI system concerned is not restricted to its national territory, it shall inform the Commission and the other Member States without undue delay of the results of the evaluation and of the actions which it has required the provider to take. 4. The provider shall ensure that all necessary action is taken to bring the AI system into compliance with the requirements and obligations laid down in this Regulation. Where the provider of an AI system concerned does not bring the AI system into compliance with those requirements and obligations within the period referred to in paragraph 2 of this Article, the provider shall be subject to fines in accordance with Article 99. 5.
Show original text
If the provider of an AI system does not comply with the required regulations within the specified time frame, they will face fines as outlined in Article 99. The provider must take necessary corrective actions for all AI systems they have made available in the EU market. If they fail to do so within the given time, the provisions in Article 79(5) to (9) will apply. If a market surveillance authority finds that the provider incorrectly classified the AI system as low-risk to avoid regulations, the provider will also face fines under Article 99. Market surveillance authorities have the power to monitor compliance with this Article and can conduct checks, especially using information from the EU database mentioned in Article 71. Additionally, if objections arise within three months of notification or within 30 days for non-compliance with certain AI practices, the Commission will consult with the relevant market surveillance authority and evaluate the national measure.
provider of an AI system concerned does not bring the AI system into compliance with those requirements and obligations within the period referred to in paragraph 2 of this Article, the provider shall be subject to fines in accordance with Article 99. 5. The provider shall ensure that all appropriate corrective action is taken in respect of all the AI systems concerned that it has made available on the Union market. 6. Where the provider of the AI system concerned does not take adequate corrective action within the period referred to in paragraph 2 of this Article, Article 79(5) to (9) shall apply. 7. Where, in the course of the evaluation pursuant to paragraph 1 of this Article, the market surveillance authority establishes that the AI system was misclassified by the provider as non-high-risk in order to circumvent the application of requirements in Chapter III, Section 2, the provider shall be subject to fines in accordance with Article 99. 8. In exercising their power to monitor the application of this Article, and in accordance with Article 11 of Regulation (EU) 2019/1020, market surveillance authorities may perform appropriate checks, taking into account in particular information stored in the EU database referred to in Article 71 of this Regulation. Article 81 Union safeguard procedure 1. Where, within three months of receipt of the notification referred to in Article 79(5), or within 30 days in the case of non-compliance with the prohibition of the AI practices referred to in Article 5, objections are raised by the market surveillance authority of a Member State to a measure taken by another market surveillance authority, or where the Commission considers the measure to be contrary to Union law, the Commission shall without undue delay enter into consultation with the market surveillance authority of the relevant Member State and the operator or operators, and shall evaluate the national measure.
Show original text
If the Commission believes that a national measure goes against Union law, it will quickly consult with the relevant Member State's market surveillance authority and the operators involved to assess the measure. Based on this assessment, the Commission will decide within six months (or within 60 days for non-compliance with AI practices mentioned in Article 5) whether the national measure is justified. The Commission will then notify the relevant market surveillance authority and inform all other market surveillance authorities of its decision. If the Commission finds the national measure justified, all Member States must take appropriate actions against the AI system, such as removing it from their market promptly, and inform the Commission. If the measure is deemed unjustified, the Member State must withdraw it and notify the Commission. If the justified national measure is due to issues with the harmonized standards or common specifications outlined in Articles 40 and 41, the Commission will follow the procedure in Article 11 of Regulation (EU) No 1025/2012.
or where the Commission considers the measure to be contrary to Union law, the Commission shall without undue delay enter into consultation with the market surveillance authority of the relevant Member State and the operator or operators, and shall evaluate the national measure. On the basis of the results of that evaluation, the Commission shall, within six months, or within 60 days in the case of non-compliance with the prohibition of the AI practices referred to in Article 5, starting from the notification referred to in Article 79(5), decide whether the national measure is justified and shall notify its decision to the market surveillance authority of the Member State concerned. The Commission shall also inform all other market surveillance authorities of its decision. 2. Where the Commission considers the measure taken by the relevant Member State to be justified, all Member States shall ensure that they take appropriate restrictive measures in respect of the AI system concerned, such as requiring the withdrawal of the AI system from their market without undue delay, and shall inform the Commission accordingly. Where the Commission considers the national measure to be unjustified, the Member State concerned shall withdraw the measure and shall inform the Commission accordingly. 3. Where the national measure is considered justified and the non-compliance of the AI system is attributed to shortcomings in the harmonised standards or common specifications referred to in Articles 40 and 41 of this Regulation, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012. Article 82 Compliant AI systems which present a risk 1.
Show original text
According to Articles 40 and 41 of this Regulation, the Commission will follow the procedure outlined in Article 11 of Regulation (EU) No 1025/2012. Article 82: Risky Compliant AI Systems 1. If, after evaluating under Article 79 and consulting the relevant national authority mentioned in Article 77(1), a market surveillance authority in a Member State finds that a high-risk AI system complies with the Regulation but still poses a risk to health, safety, fundamental rights, or public interest, it must require the operator to take necessary actions to eliminate that risk promptly, within a specified timeframe. 2. The provider or relevant operator must ensure that corrective actions are taken for all affected AI systems available in the EU market within the timeframe set by the market surveillance authority. 3. Member States must immediately notify the Commission and other Member States about any findings from paragraph 1. This notification should include all relevant details, such as the identification of the AI system, its origin and supply chain, the nature of the risk, and the national measures taken. 4. The Commission will promptly consult with the affected Member States and relevant operators to assess the national measures implemented.
40 and 41 of this Regulation, the Commission shall apply the procedure provided for in Article 11 of Regulation (EU) No 1025/2012. Article 82 Compliant AI systems which present a risk 1. Where, having performed an evaluation under Article 79, after consulting the relevant national public authority referred to in Article 77(1), the market surveillance authority of a Member State finds that although a high-risk AI system complies with this Regulation, it nevertheless presents a risk to the health or safety of persons, to fundamental rights, or to other aspects of public interest protection, it shall require the relevant operator to take all appropriate measures to ensure that the AI system concerned, when placed on the market or put into service, no longer presents that risk without undue delay, within a period it may prescribe. EN OJ L, 12.7.2024 108/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 2. The provider or other relevant operator shall ensure that corrective action is taken in respect of all the AI systems concerned that it has made available on the Union market within the timeline prescribed by the market surveillance authority of the Member State referred to in paragraph 1. 3. The Member States shall immediately inform the Commission and the other Member States of a finding under paragraph 1. That information shall include all available details, in particular the data necessary for the identification of the AI system concerned, the origin and the supply chain of the AI system, the nature of the risk involved and the nature and duration of the national measures taken. 4. The Commission shall without undue delay enter into consultation with the Member States concerned and the relevant operators, and shall evaluate the national measures taken.
Show original text
The Commission will quickly consult with the relevant Member States and operators to assess the national measures taken regarding risks. Based on this assessment, the Commission will determine if the measures are justified and suggest other actions if needed. The Commission will then inform the concerned Member States and operators of its decision, as well as notify other Member States. Article 83: Formal Non-Compliance 1. If a Member State's market surveillance authority finds any of the following issues, it will require the provider to correct the non-compliance within a specified time frame: (a) The CE marking was improperly affixed. (b) The CE marking was not affixed at all. (c) The EU declaration of conformity was not created as required. (d) The EU declaration of conformity was created incorrectly. (e) Registration in the EU database was not completed. (f) An authorized representative was not appointed, if necessary. (g) Technical documentation is missing. 2. If the non-compliance continues, the market surveillance authority will take appropriate measures to restrict or prohibit the high-risk AI system from being sold or ensure it is recalled or removed from the market immediately. Article 84: Union AI Testing Support Structures 1. The Commission will designate one or more Union AI testing support structures to carry out tasks related to AI as outlined in Article 21(6) of Regulation (EU) 2019/1020.
system, the nature of the risk involved and the nature and duration of the national measures taken. 4. The Commission shall without undue delay enter into consultation with the Member States concerned and the relevant operators, and shall evaluate the national measures taken. On the basis of the results of that evaluation, the Commission shall decide whether the measure is justified and, where necessary, propose other appropriate measures. 5. The Commission shall immediately communicate its decision to the Member States concerned and to the relevant operators. It shall also inform the other Member States. Article 83 Formal non-compliance 1. Where the market surveillance authority of a Member State makes one of the following findings, it shall require the relevant provider to put an end to the non-compliance concerned, within a period it may prescribe: (a) the CE marking has been affixed in violation of Article 48; (b) the CE marking has not been affixed; (c) the EU declaration of conformity referred to in Article 47 has not been drawn up; (d) the EU declaration of conformity referred to in Article 47 has not been drawn up correctly; (e) the registration in the EU database referred to in Article 71 has not been carried out; (f) where applicable, no authorised representative has been appointed; (g) technical documentation is not available. 2. Where the non-compliance referred to in paragraph 1 persists, the market surveillance authority of the Member State concerned shall take appropriate and proportionate measures to restrict or prohibit the high-risk AI system being made available on the market or to ensure that it is recalled or withdrawn from the market without delay. Article 84 Union AI testing support structures 1. The Commission shall designate one or more Union AI testing support structures to perform the tasks listed under Article 21(6) of Regulation (EU) 2019/1020 in the area of AI. 2.
Show original text
1. The Commission will appoint one or more Union AI testing support structures to carry out the tasks specified in Article 21(6) of Regulation (EU) 2019/1020 related to AI. 2. In addition to these tasks, the Union AI testing support structures will also provide independent technical or scientific advice when requested by the Board, the Commission, or market surveillance authorities. SECTION 4 Remedies Article 85 Right to lodge a complaint with a market surveillance authority Anyone who believes there has been a violation of this Regulation can file a complaint with the appropriate market surveillance authority. These complaints will be considered for market surveillance activities and will be processed according to the established procedures. Article 86 Right to explanation of individual decision-making 1. Individuals affected by decisions made based on the output of high-risk AI systems (as listed in Annex III, excluding point 2) that have legal consequences or significantly impact their health, safety, or fundamental rights have the right to receive clear explanations from the deployer about how the AI system influenced the decision and the key factors involved in that decision. 2.
testing support structures 1. The Commission shall designate one or more Union AI testing support structures to perform the tasks listed under Article 21(6) of Regulation (EU) 2019/1020 in the area of AI. 2. Without prejudice to the tasks referred to in paragraph 1, Union AI testing support structures shall also provide independent technical or scientific advice at the request of the Board, the Commission, or of market surveillance authorities. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 109/144 SECTION 4 Remedies Article 85 Right to lodge a complaint with a market surveillance authority Without prejudice to other administrative or judicial remedies, any natural or legal person having grounds to consider that there has been an infringement of the provisions of this Regulation may submit complaints to the relevant market surveillance authority. In accordance with Regulation (EU) 2019/1020, such complaints shall be taken into account for the purpose of conducting market surveillance activities, and shall be handled in line with the dedicated procedures established therefor by the market surveillance authorities. Article 86 Right to explanation of individual decision-making 1. Any affected person subject to a decision which is taken by the deployer on the basis of the output from a high-risk AI system listed in Annex III, with the exception of systems listed under point 2 thereof, and which produces legal effects or similarly significantly affects that person in a way that they consider to have an adverse impact on their health, safety or fundamental rights shall have the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken. 2.
Show original text
Individuals who experience negative effects on their health, safety, or fundamental rights due to an AI system have the right to receive clear explanations from the deployer about how the AI system influenced the decision-making process and the key factors that led to the decision. This right does not apply if there are exceptions or restrictions set by Union or national law that comply with Union law. This article is only applicable if the right mentioned is not already covered by Union law. Article 87 states that Directive (EU) 2019/1937 applies to reporting violations of this regulation and protects those who report such violations. Section 5 discusses the supervision, investigation, enforcement, and monitoring of providers of general-purpose AI models. Article 88 gives the Commission exclusive authority to supervise and enforce Chapter V, considering the procedural guarantees outlined in Article 94. The Commission will delegate these tasks to the AI Office, while respecting the powers of the Commission and the distribution of responsibilities between Member States and the Union as defined by treaties. Market surveillance authorities can ask the Commission to use its powers in this section if necessary to help them fulfill their duties under this regulation.
adverse impact on their health, safety or fundamental rights shall have the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken. 2. Paragraph 1 shall not apply to the use of AI systems for which exceptions from, or restrictions to, the obligation under that paragraph follow from Union or national law in compliance with Union law. 3. This Article shall apply only to the extent that the right referred to in paragraph 1 is not otherwise provided for under Union law. Article 87 Reporting of infringements and protection of reporting persons Directive (EU) 2019/1937 shall apply to the reporting of infringements of this Regulation and the protection of persons reporting such infringements. SECTION 5 Supervision, investigation, enforcement and monitoring in respect of providers of general-purpose AI models Article 88 Enforcement of the obligations of providers of general-purpose AI models 1. The Commission shall have exclusive powers to supervise and enforce Chapter V, taking into account the procedural guarantees under Article 94. The Commission shall entrust the implementation of these tasks to the AI Office, without prejudice to the powers of organisation of the Commission and the division of competences between Member States and the Union based on the Treaties. 2. Without prejudice to Article 75(3), market surveillance authorities may request the Commission to exercise the powers laid down in this Section, where that is necessary and proportionate to assist with the fulfilment of their tasks under this Regulation. EN OJ L, 12.7.2024 110/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 89 Monitoring actions 1.
Show original text
Regulation Overview: **Publication Date:** July 12, 2024 **Official Journal Reference:** OJ L 110/144 **Link:** [EU Regulation 2024/1689](http://data.europa.eu/eli/reg/2024/1689/oj) **Article 89: Monitoring Actions** 1. The AI Office is responsible for ensuring that providers of general-purpose AI models follow this Regulation and any approved codes of practice. To do this, the AI Office can take necessary monitoring actions. 2. Downstream providers (those using the AI models) can file a complaint if they believe a provider has violated this Regulation. The complaint must include: (a) Contact information for the provider of the AI model in question; (b) A detailed description of the situation, the specific Regulation provisions involved, and the reasons for the complaint; (c) Any additional relevant information the downstream provider wishes to include, including any self-gathered data. **Article 90: Alerts of Systemic Risks by the Scientific Panel** 1. The scientific panel can alert the AI Office if it suspects that: (a) A general-purpose AI model poses a specific risk at the EU level; or (b) A general-purpose AI model meets certain conditions outlined in Article 51. 2. Following such an alert, the Commission, through the AI Office and after notifying the Board, can take necessary actions to investigate the issue. The AI Office will keep the Board informed about any measures taken as per Articles 91 to 94.
Regulation. EN OJ L, 12.7.2024 110/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 89 Monitoring actions 1. For the purpose of carrying out the tasks assigned to it under this Section, the AI Office may take the necessary actions to monitor the effective implementation and compliance with this Regulation by providers of general-purpose AI models, including their adherence to approved codes of practice. 2. Downstream providers shall have the right to lodge a complaint alleging an infringement of this Regulation. A complaint shall be duly reasoned and indicate at least: (a) the point of contact of the provider of the general-purpose AI model concerned; (b) a description of the relevant facts, the provisions of this Regulation concerned, and the reason why the downstream provider considers that the provider of the general-purpose AI model concerned infringed this Regulation; (c) any other information that the downstream provider that sent the request considers relevant, including, where appropriate, information gathered on its own initiative. Article 90 Alerts of systemic risks by the scientific panel 1. The scientific panel may provide a qualified alert to the AI Office where it has reason to suspect that: (a) a general-purpose AI model poses concrete identifiable risk at Union level; or (b) a general-purpose AI model meets the conditions referred to in Article 51. 2. Upon such qualified alert, the Commission, through the AI Office and after having informed the Board, may exercise the powers laid down in this Section for the purpose of assessing the matter. The AI Office shall inform the Board of any measure according to Articles 91 to 94. 3.
Show original text
The AI Office, after informing the Board, can use its powers to evaluate the situation. It must notify the Board of any actions taken according to Articles 91 to 94. A qualified alert must include: (a) the contact information of the provider of the general-purpose AI model related to the systemic risk; (b) a detailed explanation of the relevant facts and reasons for the alert from the scientific panel; (c) any other relevant information the scientific panel deems necessary, including any information it has gathered independently. Article 91 outlines the Commission's authority to request documentation and information: 1. The Commission can ask the provider of the general-purpose AI model for documents created according to Articles 53 and 55, or any additional information needed to assess compliance with this Regulation. 2. Before making a request for information, the AI Office may engage in a structured dialogue with the provider. 3. If the scientific panel makes a justified request, the Commission can ask a provider for information necessary for the panel's tasks under Article 68(2). 4. The information request must include the legal basis and purpose of the request, specify the required information, set a deadline for submission, and mention the penalties outlined in Article 101 for providing incorrect, incomplete, or misleading information.
the AI Office and after having informed the Board, may exercise the powers laid down in this Section for the purpose of assessing the matter. The AI Office shall inform the Board of any measure according to Articles 91 to 94. 3. A qualified alert shall be duly reasoned and indicate at least: (a) the point of contact of the provider of the general-purpose AI model with systemic risk concerned; (b) a description of the relevant facts and the reasons for the alert by the scientific panel; (c) any other information that the scientific panel considers to be relevant, including, where appropriate, information gathered on its own initiative. Article 91 Power to request documentation and information 1. The Commission may request the provider of the general-purpose AI model concerned to provide the documentation drawn up by the provider in accordance with Articles 53 and 55, or any additional information that is necessary for the purpose of assessing compliance of the provider with this Regulation. 2. Before sending the request for information, the AI Office may initiate a structured dialogue with the provider of the general-purpose AI model. 3. Upon a duly substantiated request from the scientific panel, the Commission may issue a request for information to a provider of a general-purpose AI model, where the access to information is necessary and proportionate for the fulfilment of the tasks of the scientific panel under Article 68(2). OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 111/144 4. The request for information shall state the legal basis and the purpose of the request, specify what information is required, set a period within which the information is to be provided, and indicate the fines provided for in Article 101 for supplying incorrect, incomplete or misleading information. 5.
Show original text
The request must clearly state the reason for the information needed, specify what information is required, set a deadline for providing this information, and mention the penalties outlined in Article 101 for giving incorrect, incomplete, or misleading information. The provider of the general-purpose AI model, or their representative, must supply the requested information. If the provider is a legal entity, such as a company or firm, or lacks legal personality, the individuals authorized by law or their governing documents must provide the information on behalf of the provider. Authorized lawyers can also supply information for their clients, but the clients remain fully responsible for any incomplete, incorrect, or misleading information provided. Article 92 outlines the AI Office's authority to conduct evaluations: 1. The AI Office, after consulting the Board, can evaluate the general-purpose AI model to: (a) check if the provider is complying with regulations when the information from Article 91 is insufficient, or (b) investigate systemic risks associated with general-purpose AI models, especially after a qualified alert from the scientific panel as per Article 90(1)(a). 2. The Commission may appoint independent experts, including those from the scientific panel established in Article 68, to conduct these evaluations. These experts must meet the criteria specified in Article 68(2). 3. To carry out evaluations, the Commission may request access to the general-purpose AI model through APIs or other technical means, including the source code. 4. The access request must include the legal basis, purpose, reasons for the request, a deadline for providing access, and mention the penalties in Article 101 for not providing access.
basis and the purpose of the request, specify what information is required, set a period within which the information is to be provided, and indicate the fines provided for in Article 101 for supplying incorrect, incomplete or misleading information. 5. The provider of the general-purpose AI model concerned, or its representative shall supply the information requested. In the case of legal persons, companies or firms, or where the provider has no legal personality, the persons authorised to represent them by law or by their statutes, shall supply the information requested on behalf of the provider of the general-purpose AI model concerned. Lawyers duly authorised to act may supply information on behalf of their clients. The clients shall nevertheless remain fully responsible if the information supplied is incomplete, incorrect or misleading. Article 92 Power to conduct evaluations 1. The AI Office, after consulting the Board, may conduct evaluations of the general-purpose AI model concerned: (a) to assess compliance of the provider with obligations under this Regulation, where the information gathered pursuant to Article 91 is insufficient; or (b) to investigate systemic risks at Union level of general-purpose AI models with systemic risk, in particular following a qualified alert from the scientific panel in accordance with Article 90(1), point (a). 2. The Commission may decide to appoint independent experts to carry out evaluations on its behalf, including from the scientific panel established pursuant to Article 68. Independent experts appointed for this task shall meet the criteria outlined in Article 68(2). 3. For the purposes of paragraph 1, the Commission may request access to the general-purpose AI model concerned through APIs or further appropriate technical means and tools, including source code. 4. The request for access shall state the legal basis, the purpose and reasons of the request and set the period within which the access is to be provided, and the fines provided for in Article 101 for failure to provide access. 5.
Show original text
4. A request for access must include the legal basis, purpose, reasons for the request, the timeframe for providing access, and mention the fines outlined in Article 101 for not granting access. 5. The providers of the general-purpose AI model or their representatives must provide the requested information. If the provider is a legal entity, such as a company, the authorized representatives must fulfill the request on behalf of the provider. 6. The Commission will create detailed rules and conditions for evaluations, including how to involve independent experts and the selection process for them. These rules will follow the examination procedure mentioned in Article 98(2). 7. Before requesting access to the AI model, the AI Office may have a structured discussion with the provider to learn more about the model's internal testing, safeguards against systemic risks, and other measures taken to address these risks. Article 93 Power to request measures 1. If necessary, the Commission may ask providers to: (a) take appropriate actions to meet the obligations in Articles 53 and 54; (b) implement measures to address serious concerns about systemic risks identified in the evaluation under Article 92; (c) limit market availability, withdraw, or recall the model.
4. The request for access shall state the legal basis, the purpose and reasons of the request and set the period within which the access is to be provided, and the fines provided for in Article 101 for failure to provide access. 5. The providers of the general-purpose AI model concerned or its representative shall supply the information requested. In the case of legal persons, companies or firms, or where the provider has no legal personality, the persons authorised to represent them by law or by their statutes, shall provide the access requested on behalf of the provider of the general-purpose AI model concerned. 6. The Commission shall adopt implementing acts setting out the detailed arrangements and the conditions for the evaluations, including the detailed arrangements for involving independent experts, and the procedure for the selection thereof. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2). 7. Prior to requesting access to the general-purpose AI model concerned, the AI Office may initiate a structured dialogue with the provider of the general-purpose AI model to gather more information on the internal testing of the model, internal safeguards for preventing systemic risks, and other internal procedures and measures the provider has taken to mitigate such risks. Article 93 Power to request measures 1. Where necessary and appropriate, the Commission may request providers to: (a) take appropriate measures to comply with the obligations set out in Articles 53 and 54; EN OJ L, 12.7.2024 112/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (b) implement mitigation measures, where the evaluation carried out in accordance with Article 92 has given rise to serious and substantiated concern of a systemic risk at Union level; (c) restrict the making available on the market, withdraw or recall the model. 2.
Show original text
If an evaluation under Article 92 shows serious concerns about systemic risks at the Union level, mitigation measures may be taken, which could include limiting the availability of the AI model, withdrawing it from the market, or recalling it. Before taking action, the AI Office can start a structured dialogue with the provider of the general-purpose AI model. If during this dialogue the provider offers to implement measures to address the systemic risk, the Commission can make these commitments binding and decide that no further action is needed. Article 94 states that the procedural rights outlined in Article 18 of Regulation (EU) 2019/1020 apply to providers of general-purpose AI models, along with any specific rights mentioned in this Regulation. In Chapter X, Article 95 discusses codes of conduct for voluntary compliance with specific requirements. The AI Office and Member States will promote and support the creation of these codes, which aim to encourage the voluntary application of some or all requirements from Chapter III, Section 2, for AI systems that are not classified as high-risk, considering available technical solutions and industry best practices.
mitigation measures, where the evaluation carried out in accordance with Article 92 has given rise to serious and substantiated concern of a systemic risk at Union level; (c) restrict the making available on the market, withdraw or recall the model. 2. Before a measure is requested, the AI Office may initiate a structured dialogue with the provider of the general-purpose AI model. 3. If, during the structured dialogue referred to in paragraph 2, the provider of the general-purpose AI model with systemic risk offers commitments to implement mitigation measures to address a systemic risk at Union level, the Commission may, by decision, make those commitments binding and declare that there are no further grounds for action. Article 94 Procedural rights of economic operators of the general-purpose AI model Article 18 of Regulation (EU) 2019/1020 shall apply mutatis mutandis to the providers of the general-purpose AI model, without prejudice to more specific procedural rights provided for in this Regulation. CHAPTER X CODES OF CONDUCT AND GUIDELINES Article 95 Codes of conduct for voluntary application of specific requirements 1. The AI Office and the Member States shall encourage and facilitate the drawing up of codes of conduct, including related governance mechanisms, intended to foster the voluntary application to AI systems, other than high-risk AI systems, of some or all of the requirements set out in Chapter III, Section 2 taking into account the available technical solutions and industry best practices allowing for the application of such requirements. 2.
Show original text
AI systems that are not classified as high-risk may be subject to some or all requirements outlined in Chapter III, Section 2, depending on available technical solutions and industry best practices. The AI Office and Member States will help create voluntary codes of conduct for AI systems. These codes will include specific requirements based on clear goals and key performance indicators to measure success. Key elements may include: (a) adherence to Union ethical guidelines for trustworthy AI; (b) evaluating and reducing the environmental impact of AI systems, focusing on energy-efficient programming and design; (c) promoting AI literacy, especially for those involved in developing and using AI; (d) ensuring inclusive and diverse design of AI systems by forming diverse development teams and encouraging stakeholder participation; (e) assessing and preventing negative impacts of AI on vulnerable groups, including ensuring accessibility for people with disabilities and promoting gender equality. Codes of conduct can be created by individual AI providers or deployers, organizations representing them, or both, with input from interested stakeholders, including civil society and academia. These codes may apply to one or more AI systems with similar purposes. The AI Office and Member States will consider the specific needs of small and medium-sized enterprises (SMEs), including start-ups, when promoting the development of these codes.
to AI systems, other than high-risk AI systems, of some or all of the requirements set out in Chapter III, Section 2 taking into account the available technical solutions and industry best practices allowing for the application of such requirements. 2. The AI Office and the Member States shall facilitate the drawing up of codes of conduct concerning the voluntary application, including by deployers, of specific requirements to all AI systems, on the basis of clear objectives and key performance indicators to measure the achievement of those objectives, including elements such as, but not limited to: (a) applicable elements provided for in Union ethical guidelines for trustworthy AI; (b) assessing and minimising the impact of AI systems on environmental sustainability, including as regards energy-efficient programming and techniques for the efficient design, training and use of AI; (c) promoting AI literacy, in particular that of persons dealing with the development, operation and use of AI; (d) facilitating an inclusive and diverse design of AI systems, including through the establishment of inclusive and diverse development teams and the promotion of stakeholders’ participation in that process; (e) assessing and preventing the negative impact of AI systems on vulnerable persons or groups of vulnerable persons, including as regards accessibility for persons with a disability, as well as on gender equality. 3. Codes of conduct may be drawn up by individual providers or deployers of AI systems or by organisations representing them or by both, including with the involvement of any interested stakeholders and their representative organisations, including civil society organisations and academia. Codes of conduct may cover one or more AI systems taking into account the similarity of the intended purpose of the relevant systems. 4. The AI Office and the Member States shall take into account the specific interests and needs of SMEs, including start-ups, when encouraging and facilitating the drawing up of codes of conduct. OJ L, 12.7.
Show original text
The AI Office and Member States will consider the specific needs of small and medium-sized enterprises (SMEs), including start-ups, when creating codes of conduct. Article 96 outlines that the Commission will create guidelines for implementing this Regulation, focusing on: (a) the requirements in Articles 8 to 15 and Article 25; (b) the prohibited practices in Article 5; (c) how to handle substantial modifications; (d) transparency obligations in Article 50; (e) the relationship between this Regulation and other EU laws listed in Annex I; (f) the definition of an AI system in Article 3, point (1). The Commission will pay special attention to the needs of SMEs, local public authorities, and sectors most affected by this Regulation when developing these guidelines. The guidelines will also consider the current state of AI technology and relevant standards mentioned in Articles 40 and 41. The Commission can update these guidelines at the request of Member States or the AI Office, or on its own initiative, when necessary.
systems. 4. The AI Office and the Member States shall take into account the specific interests and needs of SMEs, including start-ups, when encouraging and facilitating the drawing up of codes of conduct. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 113/144 Article 96 Guidelines from the Commission on the implementation of this Regulation 1. The Commission shall develop guidelines on the practical implementation of this Regulation, and in particular on: (a) the application of the requirements and obligations referred to in Articles 8 to 15 and in Article 25; (b) the prohibited practices referred to in Article 5; (c) the practical implementation of the provisions related to substantial modification; (d) the practical implementation of transparency obligations laid down in Article 50; (e) detailed information on the relationship of this Regulation with the Union harmonisation legislation listed in Annex I, as well as with other relevant Union law, including as regards consistency in their enforcement; (f) the application of the definition of an AI system as set out in Article 3, point (1). When issuing such guidelines, the Commission shall pay particular attention to the needs of SMEs including start-ups, of local public authorities and of the sectors most likely to be affected by this Regulation. The guidelines referred to in the first subparagraph of this paragraph shall take due account of the generally acknowledged state of the art on AI, as well as of relevant harmonised standards and common specifications that are referred to in Articles 40 and 41, or of those harmonised standards or technical specifications that are set out pursuant to Union harmonisation law. 2. At the request of the Member States or the AI Office, or on its own initiative, the Commission shall update guidelines previously adopted when deemed necessary.
Show original text
The Commission can create standards or technical specifications based on EU harmonization law. It can update existing guidelines when requested by Member States, the AI Office, or on its own initiative. **Chapter XI: Delegation of Power and Committee Procedure** **Article 97: Exercise of the Delegation** 1. The Commission has the authority to adopt delegated acts as outlined in this Article. 2. The Commission can adopt delegated acts related to Articles 6(6), 6(7), 7(1), 7(3), 11(3), 43(5), 43(6), 47(5), 51(3), 52(4), and 53(5) and (6) for five years starting from August 1, 2024. It must report on this delegation of power no later than nine months before the five-year period ends. This delegation will automatically extend for the same duration unless the European Parliament or the Council objects at least three months before the end of each period. 3. The European Parliament or the Council can revoke this delegation of power at any time, which will end the specified delegation.
standards or technical specifications that are set out pursuant to Union harmonisation law. 2. At the request of the Member States or the AI Office, or on its own initiative, the Commission shall update guidelines previously adopted when deemed necessary. CHAPTER XI DELEGATION OF POWER AND COMMITTEE PROCEDURE Article 97 Exercise of the delegation 1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2. The power to adopt delegated acts referred to in Article 6(6) and (7), Article 7(1) and (3), Article 11(3), Article 43(5) and (6), Article 47(5), Article 51(3), Article 52(4) and Article 53(5) and (6) shall be conferred on the Commission for a period of five years from 1 August 2024. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period. 3. The delegation of power referred to in Article 6(6) and (7), Article 7(1) and (3), Article 11(3), Article 43(5) and (6), Article 47(5), Article 51(3), Article 52(4) and Article 53(5) and (6) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision.
Show original text
The European Parliament or the Council can revoke Articles 52(4) and 53(5) and (6) at any time. When they revoke these articles, the power given in that decision will end. The revocation will take effect the day after it is published in the Official Journal of the European Union or on a later specified date. This will not affect any delegated acts that are already in effect. Before the Commission adopts a delegated act, it must consult experts chosen by each Member State, following the guidelines from the Interinstitutional Agreement on Better Law-Making dated April 13, 2016. Once the Commission adopts a delegated act, it must notify both the European Parliament and the Council at the same time. A delegated act based on specific articles (Article 6(6) or (7), Article 7(1) or (3), Article 11(3), Article 43(5) or (6), Article 47(5), Article 51(3), Article 52(4), or Article 53(5) or (6)) will only take effect if neither the European Parliament nor the Council objects within three months of being notified. If both inform the Commission before the three months are up that they will not object, the act will also take effect. This three-month period can be extended by another three months if either the European Parliament or the Council requests it. Article 98 states that the Commission will be supported by a committee.
52(4) and Article 53(5) and (6) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following that of its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. EN OJ L, 12.7.2024 114/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6. Any delegated act adopted pursuant to Article 6(6) or (7), Article 7(1) or (3), Article 11(3), Article 43(5) or (6), Article 47(5), Article 51(3), Article 52(4) or Article 53(5) or (6) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council. Article 98 Committee procedure 1. The Commission shall be assisted by a committee.
Show original text
The Commission has informed that they will not raise any objections. The period for this can be extended by three months if the European Parliament or the Council initiates it. **Article 98: Committee Procedure** 1. The Commission will be supported by a committee, which is defined under Regulation (EU) No 182/2011. 2. When this paragraph is referenced, Article 5 of Regulation (EU) No 182/2011 will apply. **CHAPTER XII: PENALTIES** **Article 99: Penalties** 1. Member States must establish rules for penalties and enforcement measures for violations of this Regulation. These can include warnings and non-monetary actions. The penalties must be effective, proportionate, and discouraging, considering the interests of small and medium-sized enterprises (SMEs) and their economic viability. Member States must ensure these rules are properly implemented, following the guidelines from the Commission as stated in Article 96. 2. Member States must promptly inform the Commission about their penalty rules and any changes to them by the time this Regulation comes into effect. 3. Violations of the AI practices mentioned in Article 5 can result in administrative fines of up to EUR 35,000,000 or, for companies, up to 7% of their total worldwide annual turnover from the previous financial year, whichever amount is higher.
informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council. Article 98 Committee procedure 1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. CHAPTER XII PENALTIES Article 99 Penalties 1. In accordance with the terms and conditions laid down in this Regulation, Member States shall lay down the rules on penalties and other enforcement measures, which may also include warnings and non-monetary measures, applicable to infringements of this Regulation by operators, and shall take all measures necessary to ensure that they are properly and effectively implemented, thereby taking into account the guidelines issued by the Commission pursuant to Article 96. The penalties provided for shall be effective, proportionate and dissuasive. They shall take into account the interests of SMEs, including start-ups, and their economic viability. 2. The Member States shall, without delay and at the latest by the date of entry into application, notify the Commission of the rules on penalties and of other enforcement measures referred to in paragraph 1, and shall notify it, without delay, of any subsequent amendment to them. 3. Non-compliance with the prohibition of the AI practices referred to in Article 5 shall be subject to administrative fines of up to EUR 35 000 000 or, if the offender is an undertaking, up to 7 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. 4.
Show original text
Companies can face administrative fines of up to EUR 35,000,000 or, if they are a business, up to 7% of their total worldwide annual revenue from the previous financial year, whichever amount is higher, for serious violations. For non-compliance with specific rules related to operators or notified bodies (excluding those in Article 5), fines can reach up to EUR 15,000,000 or, for businesses, up to 3% of their total worldwide annual revenue from the previous financial year, whichever is higher. These rules include obligations for: (a) providers (Article 16); (b) authorized representatives (Article 22); (c) importers (Article 23); (d) distributors (Article 24); (e) deployers (Article 26); (f) notified bodies (Articles 31, 33(1), (3), (4), and 34); (g) transparency for providers and deployers (Article 50). Providing incorrect, incomplete, or misleading information to notified bodies or national authorities can result in fines of up to EUR 7,500,000 or, for businesses, up to 1% of their total worldwide annual revenue from the previous financial year, whichever is higher. For small and medium-sized enterprises (SMEs), including start-ups, the fines mentioned will be capped at the lower of the specified amounts or percentages in paragraphs 3, 4, and 5.
subject to administrative fines of up to EUR 35 000 000 or, if the offender is an undertaking, up to 7 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. 4. Non-compliance with any of the following provisions related to operators or notified bodies, other than those laid down in Articles 5, shall be subject to administrative fines of up to EUR 15 000 000 or, if the offender is an undertaking, up to 3 % of its total worldwide annual turnover for the preceding financial year, whichever is higher: (a) obligations of providers pursuant to Article 16; (b) obligations of authorised representatives pursuant to Article 22; (c) obligations of importers pursuant to Article 23; (d) obligations of distributors pursuant to Article 24; (e) obligations of deployers pursuant to Article 26; (f) requirements and obligations of notified bodies pursuant to Article 31, Article 33(1), (3) and (4) or Article 34; (g) transparency obligations for providers and deployers pursuant to Article 50. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 115/144 5. The supply of incorrect, incomplete or misleading information to notified bodies or national competent authorities in reply to a request shall be subject to administrative fines of up to EUR 7 500 000 or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. 6. In the case of SMEs, including start-ups, each fine referred to in this Article shall be up to the percentages or amount referred to in paragraphs 3, 4 and 5, whichever thereof is lower. 7.
Show original text
6. For small and medium-sized enterprises (SMEs) and start-ups, any fines mentioned in this Article will be limited to the lower of the percentages or amounts specified in paragraphs 3, 4, and 5. 7. When deciding whether to impose a fine and determining its amount, all relevant factors of the situation will be considered, including: (a) the nature, seriousness, and duration of the violation and its effects, including the purpose of the AI system and the number of people affected; (b) if other market surveillance authorities have already fined the same operator for the same violation; (c) if other authorities have fined the same operator for different violations related to the same activity; (d) the size, annual revenue, and market share of the operator; (e) any other factors that may increase or decrease the severity of the case, such as financial gains or losses avoided due to the violation; (f) the level of cooperation from the operator with national authorities to address the violation; (g) the operator's responsibility based on the technical and organizational measures they have in place; (h) how the violation came to the attention of national authorities, especially if the operator reported it; (i) whether the violation was intentional or due to negligence; (j) any actions taken by the operator to reduce the harm to affected individuals.
6. In the case of SMEs, including start-ups, each fine referred to in this Article shall be up to the percentages or amount referred to in paragraphs 3, 4 and 5, whichever thereof is lower. 7. When deciding whether to impose an administrative fine and when deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and, as appropriate, regard shall be given to the following: (a) the nature, gravity and duration of the infringement and of its consequences, taking into account the purpose of the AI system, as well as, where appropriate, the number of affected persons and the level of damage suffered by them; (b) whether administrative fines have already been applied by other market surveillance authorities to the same operator for the same infringement; (c) whether administrative fines have already been applied by other authorities to the same operator for infringements of other Union or national law, when such infringements result from the same activity or omission constituting a relevant infringement of this Regulation; (d) the size, the annual turnover and market share of the operator committing the infringement; (e) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement; (f) the degree of cooperation with the national competent authorities, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the degree of responsibility of the operator taking into account the technical and organisational measures implemented by it; (h) the manner in which the infringement became known to the national competent authorities, in particular whether, and if so to what extent, the operator notified the infringement; (i) the intentional or negligent character of the infringement; (j) any action taken by the operator to mitigate the harm suffered by the affected persons. 8.
Show original text
The operator must notify about the infringement, and the extent of this notification is important. Factors to consider include whether the infringement was intentional or negligent, and any actions taken by the operator to reduce harm to affected individuals. Each Member State will establish rules regarding the imposition of administrative fines on public authorities and bodies within that state. Depending on the legal system, these fines may be imposed by national courts or other relevant bodies, and the application of these rules should have similar effects across Member States. The enforcement of these rules must follow proper legal procedures, ensuring judicial remedies and due process are in place. Member States are required to report annually to the Commission about the administrative fines they have issued and any related legal proceedings. According to Article 100, the European Data Protection Supervisor can impose administrative fines on Union institutions, bodies, offices, and agencies covered by this Regulation. When deciding on fines, all relevant circumstances must be considered, including the specifics of each case.
, in particular whether, and if so to what extent, the operator notified the infringement; (i) the intentional or negligent character of the infringement; (j) any action taken by the operator to mitigate the harm suffered by the affected persons. 8. Each Member State shall lay down rules on to what extent administrative fines may be imposed on public authorities and bodies established in that Member State. 9. Depending on the legal system of the Member States, the rules on administrative fines may be applied in such a manner that the fines are imposed by competent national courts or by other bodies, as applicable in those Member States. The application of such rules in those Member States shall have an equivalent effect. 10. The exercise of powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and national law, including effective judicial remedies and due process. 11. Member States shall, on an annual basis, report to the Commission about the administrative fines they have issued during that year, in accordance with this Article, and about any related litigation or judicial proceedings. Article 100 Administrative fines on Union institutions, bodies, offices and agencies 1. The European Data Protection Supervisor may impose administrative fines on Union institutions, bodies, offices and agencies falling within the scope of this Regulation. When deciding whether to impose an administrative fine and when deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following: EN OJ L, 12.7.
Show original text
When determining the amount of an administrative fine for a specific case, all relevant circumstances must be considered, including: (a) the nature, seriousness, and duration of the violation, its consequences, the purpose of the AI system involved, the number of people affected, and the level of damage they experienced; (b) the responsibility of the Union institution, body, office, or agency, considering the technical and organizational measures they have taken; (c) any actions taken by the institution to reduce the damage to affected individuals; (d) the level of cooperation with the European Data Protection Supervisor to address the violation and lessen its negative effects, including adherence to any previous measures ordered by the Supervisor regarding the same issue; (e) any similar past violations by the institution; (f) how the violation was discovered by the European Data Protection Supervisor, especially whether and how the institution reported it; (g) the annual budget of the institution. Additionally, failing to comply with the prohibited AI practices mentioned in Article 5 may result in administrative fines of up to EUR 1,500,000.
when deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation shall be taken into account and due regard shall be given to the following: EN OJ L, 12.7.2024 116/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (a) the nature, gravity and duration of the infringement and of its consequences, taking into account the purpose of the AI system concerned, as well as, where appropriate, the number of affected persons and the level of damage suffered by them; (b) the degree of responsibility of the Union institution, body, office or agency, taking into account technical and organisational measures implemented by them; (c) any action taken by the Union institution, body, office or agency to mitigate the damage suffered by affected persons; (d) the degree of cooperation with the European Data Protection Supervisor in order to remedy the infringement and mitigate the possible adverse effects of the infringement, including compliance with any of the measures previously ordered by the European Data Protection Supervisor against the Union institution, body, office or agency concerned with regard to the same subject matter; (e) any similar previous infringements by the Union institution, body, office or agency; (f) the manner in which the infringement became known to the European Data Protection Supervisor, in particular whether, and if so to what extent, the Union institution, body, office or agency notified the infringement; (g) the annual budget of the Union institution, body, office or agency. 2. Non-compliance with the prohibition of the AI practices referred to in Article 5 shall be subject to administrative fines of up to EUR 1 500 000. 3.
Show original text
1. Union institutions, bodies, offices, or agencies must comply with regulations regarding AI practices. 2. If they violate the AI practices outlined in Article 5, they can face administrative fines of up to EUR 1,500,000. 3. For non-compliance with other requirements of this Regulation, fines can be up to EUR 750,000. 4. Before making any decisions, the European Data Protection Supervisor will allow the affected institution to present their case regarding the alleged violation. Decisions will be based only on information that both parties have had the chance to discuss. Complainants will also be involved in the process. 5. The rights of the parties involved will be fully respected, including access to the European Data Protection Supervisor’s files, unless it conflicts with the protection of personal data or business secrets. 6. Fines collected will go to the general budget of the Union and will not hinder the operations of the fined institution. 7. The European Data Protection Supervisor will inform the Commission annually about the fines imposed and any related legal actions.
of the Union institution, body, office or agency. 2. Non-compliance with the prohibition of the AI practices referred to in Article 5 shall be subject to administrative fines of up to EUR 1 500 000. 3. The non-compliance of the AI system with any requirements or obligations under this Regulation, other than those laid down in Article 5, shall be subject to administrative fines of up to EUR 750 000. 4. Before taking decisions pursuant to this Article, the European Data Protection Supervisor shall give the Union institution, body, office or agency which is the subject of the proceedings conducted by the European Data Protection Supervisor the opportunity of being heard on the matter regarding the possible infringement. The European Data Protection Supervisor shall base his or her decisions only on elements and circumstances on which the parties concerned have been able to comment. Complainants, if any, shall be associated closely with the proceedings. 5. The rights of defence of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the European Data Protection Supervisor’s file, subject to the legitimate interest of individuals or undertakings in the protection of their personal data or business secrets. 6. Funds collected by imposition of fines in this Article shall contribute to the general budget of the Union. The fines shall not affect the effective operation of the Union institution, body, office or agency fined. 7. The European Data Protection Supervisor shall, on an annual basis, notify the Commission of the administrative fines it has imposed pursuant to this Article and of any litigation or judicial proceedings it has initiated. Article 101 Fines for providers of general-purpose AI models 1.
Show original text
Each year, the Supervisor must inform the Commission about any administrative fines it has imposed and any legal actions it has started. **Article 101: Fines for Providers of General-Purpose AI Models** 1. The Commission can impose fines on providers of general-purpose AI models. These fines can be up to 3% of the provider's total global revenue from the previous financial year or €15,000,000, whichever amount is higher, if the provider: (a) violates the rules of this Regulation; (b) does not comply with a request for documents or information as stated in Article 91, or provides incorrect, incomplete, or misleading information; (c) fails to follow a measure requested under Article 93; (d) does not allow the Commission access to the general-purpose AI model or a model with systemic risk for evaluation as per Article 92. When determining the fine amount, the Commission will consider the nature, seriousness, and duration of the violation, while ensuring the fine is fair and appropriate. The Commission will also consider any commitments made under Article 93(3) or relevant codes of practice from Article 56. 2. Before making a final decision, the Commission will share its initial findings with the provider and allow them to respond. 3. Fines must be effective, fair, and act as a deterrent. 4. Information about the fines will also be shared with the Board as needed.
Supervisor shall, on an annual basis, notify the Commission of the administrative fines it has imposed pursuant to this Article and of any litigation or judicial proceedings it has initiated. Article 101 Fines for providers of general-purpose AI models 1. The Commission may impose on providers of general-purpose AI models fines not exceeding 3 % of their annual total worldwide turnover in the preceding financial year or EUR 15 000 000, whichever is higher., when the Commission finds that the provider intentionally or negligently: (a) infringed the relevant provisions of this Regulation; (b) failed to comply with a request for a document or for information pursuant to Article 91, or supplied incorrect, incomplete or misleading information; (c) failed to comply with a measure requested under Article 93; OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 117/144 (d) failed to make available to the Commission access to the general-purpose AI model or general-purpose AI model with systemic risk with a view to conducting an evaluation pursuant to Article 92. In fixing the amount of the fine or periodic penalty payment, regard shall be had to the nature, gravity and duration of the infringement, taking due account of the principles of proportionality and appropriateness. The Commission shall also into account commitments made in accordance with Article 93(3) or made in relevant codes of practice in accordance with Article 56. 2. Before adopting the decision pursuant to paragraph 1, the Commission shall communicate its preliminary findings to the provider of the general-purpose AI model and give it an opportunity to be heard. 3. Fines imposed in accordance with this Article shall be effective, proportionate and dissuasive. 4. Information on fines imposed under this Article shall also be communicated to the Board as appropriate. 5.
Show original text
1. Parties should be given a chance to present their case. 2. Fines imposed under this Article must be effective, fair, and serve as a deterrent. 3. Information about these fines will be shared with the Board as needed. 4. The Court of Justice of the European Union can review the Commission's decisions on fines, and it has the authority to cancel, reduce, or increase the fines. 5. The Commission will create detailed rules and procedures for the decision-making process related to this Article, following the examination procedure outlined in Article 98(2). 6. In Article 4(3) of Regulation (EC) No 300/2008, a new sentence will be added: 'When creating detailed measures for the technical specifications and procedures for the approval and use of security equipment related to Artificial Intelligence systems, the requirements in Chapter III, Section 2 of Regulation (EU) 2024/1689 must be considered.' This regulation was established on June 13, 2024, and it sets harmonized rules on artificial intelligence while amending several other regulations and directives.
give it an opportunity to be heard. 3. Fines imposed in accordance with this Article shall be effective, proportionate and dissuasive. 4. Information on fines imposed under this Article shall also be communicated to the Board as appropriate. 5. The Court of Justice of the European Union shall have unlimited jurisdiction to review decisions of the Commission fixing a fine under this Article. It may cancel, reduce or increase the fine imposed. 6. The Commission shall adopt implementing acts containing detailed arrangements and procedural safeguards for proceedings in view of the possible adoption of decisions pursuant to paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2). CHAPTER XIII FINAL PROVISIONS Article 102 Amendment to Regulation (EC) No 300/2008 In Article 4(3) of Regulation (EC) No 300/2008, the following subparagraph is added: ‘When adopting detailed measures related to technical specifications and procedures for approval and use of security equipment concerning Artificial Intelligence systems within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council (*), the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account. (*) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Art
Show original text
(EU) 2018/1139, (EU) 2019/2144, and Directives 2014/90/EU, (EU) 2016/797, and (EU) 2020/1828 are related to the Artificial Intelligence Act (Regulation (EU) 2024/1689), published on July 12, 2024. Article 103 amends Regulation (EU) No 167/2013 by adding a new subparagraph to Article 17(5). This new subparagraph states that when creating delegated acts about artificial intelligence systems that are considered safety components under Regulation (EU) 2024/1689, the requirements in Chapter III, Section 2 of that Regulation must be followed.
(EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. Article 103 Amendment to Regulation (EU) No 167/2013 In Article 17(5) of Regulation (EU) No 167/2013, the following subparagraph is added: ‘When adopting delegated acts pursuant to the first subparagraph concerning artificial intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council (*), the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account. (*) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. EN OJ L, 12.7.
Show original text
On July 12, 2024, the Official Journal published Regulation (EU) 2024/1689, which includes an amendment to Regulation (EU) No 168/2013. This amendment adds a new subparagraph to Article 22(5) of Regulation (EU) No 168/2013. It states that when creating delegated acts related to Artificial Intelligence systems that are considered safety components under Regulation (EU) 2024/1689, the requirements outlined in Chapter III, Section 2 of that Regulation must be followed. Regulation (EU) 2024/1689 establishes harmonized rules on artificial intelligence and modifies several other regulations and directives.
2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. EN OJ L, 12.7.2024 118/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Article 104 Amendment to Regulation (EU) No 168/2013 In Article 22(5) of Regulation (EU) No 168/2013, the following subparagraph is added: ‘When adopting delegated acts pursuant to the first subparagraph concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council (*), the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account. (*) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’.
Show original text
The Artificial Intelligence Act (Regulation (EU) 2024/1689) was published on July 12, 2024. It includes an amendment to Directive 2014/90/EU, adding a new paragraph to Article 8. This paragraph states that when the European Commission is working on technical specifications and testing standards for safety components of Artificial Intelligence systems, it must consider the requirements outlined in Chapter III, Section 2 of the Artificial Intelligence Act. Additionally, there is an amendment to Directive (EU) 2016/797, which adds a new paragraph to Article 5.
(Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. Article 105 Amendment to Directive 2014/90/EU In Article 8 of Directive 2014/90/EU, the following paragraph is added: ‘5. For Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council (*), when carrying out its activities pursuant to paragraph 1 and when adopting technical specifications and testing standards in accordance with paragraphs 2 and 3, the Commission shall take into account the requirements set out in Chapter III, Section 2, of that Regulation. (*) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. Article 106 Amendment to Directive (EU) 2016/797 In Article 5 of Directive (EU) 2016/797, the following paragraph is added: ‘12.
Show original text
Article 106 updates Directive (EU) 2016/797 by adding a new paragraph. This paragraph states that when creating delegated and implementing acts related to Artificial Intelligence systems that are considered safety components under Regulation (EU) 2024/1689, the requirements in Chapter III, Section 2 of that Regulation must be followed. Regulation (EU) 2024/1689, established on June 13, 2024, sets out standardized rules for artificial intelligence and modifies several existing regulations and directives. Article 107 adds a new paragraph to Article 5 of Regulation (EU) 2018/858.
4/1689/oj).’. Article 106 Amendment to Directive (EU) 2016/797 In Article 5 of Directive (EU) 2016/797, the following paragraph is added: ‘12. When adopting delegated acts pursuant to paragraph 1 and implementing acts pursuant to paragraph 11 concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council (*), the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account. (*) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 119/144 Article 107 Amendment to Regulation (EU) 2018/858 In Article 5 of Regulation (EU) 2018/858 the following paragraph is added: ‘4.
Show original text
Article 107 updates Regulation (EU) 2018/858 by adding a new paragraph to Article 5. This new paragraph states that when creating delegated acts related to Artificial Intelligence systems that are considered safety components under Regulation (EU) 2024/1689, the requirements in Chapter III, Section 2 of that regulation must be followed. Regulation (EU) 2024/1689, also known as the Artificial Intelligence Act, was established on June 13, 2024, and sets harmonized rules for artificial intelligence while amending several other regulations and directives. Article 108 introduces changes to Regulation (EU) 2018/1139 by adding a new paragraph to Article 17.
/1689/oj 119/144 Article 107 Amendment to Regulation (EU) 2018/858 In Article 5 of Regulation (EU) 2018/858 the following paragraph is added: ‘4. When adopting delegated acts pursuant to paragraph 3 concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council (*), the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account. (*) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. Article 108 Amendments to Regulation (EU) 2018/1139 Regulation (EU) 2018/1139 is amended as follows: (1) in Article 17, the following paragraph is added: ‘3.
Show original text
Regulation (EU) 2018/1139 is updated as follows: (1) Article 17 now includes a new paragraph stating that when creating implementing acts related to Artificial Intelligence systems that are considered safety components under Regulation (EU) 2024/1689, the requirements from Chapter III, Section 2 of that Regulation must be considered. (2) Article 19 adds a new paragraph that requires the same consideration of Chapter III, Section 2 of Regulation (EU) 2024/1689 when adopting delegated acts concerning these AI systems. (3) Article 43 also includes a new paragraph related to this matter.
108 Amendments to Regulation (EU) 2018/1139 Regulation (EU) 2018/1139 is amended as follows: (1) in Article 17, the following paragraph is added: ‘3. Without prejudice to paragraph 2, when adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council (*), the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account. (*) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa. eu/eli/reg/2024/1689/oj).’; (2) in Article 19, the following paragraph is added: ‘4. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689, the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account.’; (3) in Article 43, the following paragraph is added: ‘4.
Show original text
According to Regulation (EU) 2024/1689, the following updates are made: 1. In Article 43, a new paragraph is added stating that when creating implementing acts related to Artificial Intelligence systems classified as safety components, the requirements in Chapter III, Section 2 of Regulation (EU) 2024/1689 must be considered. 2. In Article 47, a new paragraph is added that requires the same consideration for delegated acts concerning Artificial Intelligence systems that are safety components. 3. In Article 57, a new subparagraph is added emphasizing that the requirements in Chapter III, Section 2 of Regulation (EU) 2024/1689 must be taken into account when adopting implementing acts for these AI systems. 4. In Article 58, a new paragraph is added, reiterating that the requirements in Chapter III, Section 2 of Regulation (EU) 2024/1689 should be considered when adopting delegated acts for AI systems that are safety components.
(EU) 2024/1689, the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account.’; (3) in Article 43, the following paragraph is added: ‘4. When adopting implementing acts pursuant to paragraph 1 concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689, the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account.’; (4) in Article 47, the following paragraph is added: ‘3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689, the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account.’; (5) in Article 57, the following subparagraph is added: ‘When adopting those implementing acts concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689, the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account.’; EN OJ L, 12.7.2024 120/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (6) in Article 58, the following paragraph is added: ‘3. When adopting delegated acts pursuant to paragraphs 1 and 2 concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689, the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account.’.
Show original text
Article 109 amends Regulation (EU) 2019/2144 by adding a new paragraph to Article 11. This new paragraph states that when implementing acts are adopted regarding artificial intelligence systems that are considered safety components under Regulation (EU) 2024/1689, the requirements outlined in Chapter III, Section 2 of that regulation must be followed. Regulation (EU) 2024/1689, known as the Artificial Intelligence Act, was established by the European Parliament and Council on June 13, 2024, and it sets harmonized rules for artificial intelligence while amending several other regulations and directives.
and 2 concerning Artificial Intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689, the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account.’. Article 109 Amendment to Regulation (EU) 2019/2144 In Article 11 of Regulation (EU) 2019/2144, the following paragraph is added: ‘3. When adopting the implementing acts pursuant to paragraph 2, concerning artificial intelligence systems which are safety components within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council (*), the requirements set out in Chapter III, Section 2, of that Regulation shall be taken into account. (*) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’.
Show original text
The Artificial Intelligence Act (OJ L, 2024/1689, 12.7.2024) introduces new rules for artificial intelligence in the EU. Article 110 amends Directive (EU) 2020/1828 by adding a new point that references Regulation (EU) 2024/1689, which was established on June 13, 2024. This regulation sets harmonized rules for AI and modifies several existing regulations and directives. Article 111 states that AI systems that are part of large-scale IT systems, as listed in Annex X, and were already on the market before August 2, 2027, must comply with the new regulations by December 31, 2030.
(Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. Article 110 Amendment to Directive (EU) 2020/1828 In Annex I to Directive (EU) 2020/1828 of the European Parliament and of the Council (58), the following point is added: ‘(68) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/ 2024/1689/oj).’. Article 111 AI systems already placed on the market or put into service and general-purpose AI models already placed on the marked 1. Without prejudice to the application of Article 5 as referred to in Article 113(3), point (a), AI systems which are components of the large-scale IT systems established by the legal acts listed in Annex X that have been placed on the market or put into service before 2 August 2027 shall be brought into compliance with this Regulation by 31 December 2030.
Show original text
Large-scale IT systems created under the legal acts listed in Annex X that were sold or started operating before August 2, 2027, must comply with this Regulation by December 31, 2030. The requirements of this Regulation will be considered when evaluating these IT systems as outlined in the relevant legal acts, especially if those acts are updated or replaced. Additionally, this Regulation applies to operators of high-risk AI systems (not covered in the previous paragraph) that were sold or started operating before August 2, 2026, but only if those systems undergo significant design changes after that date. Providers and users of high-risk AI systems intended for public authorities must ensure compliance with this Regulation by August 2, 2030. Furthermore, providers of general-purpose AI models that were sold before August 2, 2025, must comply with this Regulation by August 2, 2027.
of the large-scale IT systems established by the legal acts listed in Annex X that have been placed on the market or put into service before 2 August 2027 shall be brought into compliance with this Regulation by 31 December 2030. The requirements laid down in this Regulation shall be taken into account in the evaluation of each large-scale IT system established by the legal acts listed in Annex X to be undertaken as provided for in those legal acts and where those legal acts are replaced or amended. 2. Without prejudice to the application of Article 5 as referred to in Article 113(3), point (a), this Regulation shall apply to operators of high-risk AI systems, other than the systems referred to in paragraph 1 of this Article, that have been placed on the market or put into service before 2 August 2026, only if, as from that date, those systems are subject to significant changes in their designs. In any case, the providers and deployers of high-risk AI systems intended to be used by public authorities shall take the necessary steps to comply with the requirements and obligations of this Regulation by 2 August 2030. 3. Providers of general-purpose AI models that have been placed on the market before 2 August 2025 shall take the necessary steps in order to comply with the obligations laid down in this Regulation by 2 August 2027. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 121/144 (58) Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p.
Show original text
On November 25, 2020, the Council adopted a regulation on representative actions to protect consumers' collective interests, replacing Directive 2009/22/EC (published in OJ L 409 on December 4, 2020, page 1). Article 112 outlines the evaluation and review process: 1. The Commission will review the lists in Annex III and the prohibited AI practices in Article 5 annually after this regulation takes effect, until the delegation period in Article 97 ends. The Commission will report its findings to the European Parliament and the Council. 2. By August 2, 2028, and every four years after that, the Commission will evaluate and report to the European Parliament and the Council on: (a) the need to update existing area headings or add new ones in Annex III; (b) changes to the list of AI systems that require more transparency as stated in Article 50; (c) improvements to the supervision and governance system. 3. By August 2, 2029, and every four years thereafter, the Commission will submit a report on the evaluation of this regulation to the European Parliament and the Council. This report will assess enforcement structures and whether a Union agency is needed to address any issues. If necessary, the report will include proposals for amending the regulation. All reports will be made public.
Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1). Article 112 Evaluation and review 1. The Commission shall assess the need for amendment of the list set out in Annex III and of the list of prohibited AI practices laid down in Article 5, once a year following the entry into force of this Regulation, and until the end of the period of the delegation of power laid down in Article 97. The Commission shall submit the findings of that assessment to the European Parliament and the Council. 2. By 2 August 2028 and every four years thereafter, the Commission shall evaluate and report to the European Parliament and to the Council on the following: (a) the need for amendments extending existing area headings or adding new area headings in Annex III; (b) amendments to the list of AI systems requiring additional transparency measures in Article 50; (c) amendments enhancing the effectiveness of the supervision and governance system. 3. By 2 August 2029 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The report shall include an assessment with regard to the structure of enforcement and the possible need for a Union agency to resolve any identified shortcomings. On the basis of the findings, that report shall, where appropriate, be accompanied by a proposal for amendment of this Regulation. The reports shall be made public. 4.
Show original text
A Union agency may be needed to address any identified issues. Based on the findings, a report will be created, which may include suggestions to amend this Regulation. These reports will be made public. The reports must focus on: (a) the financial, technical, and human resources of national authorities to effectively carry out their tasks under this Regulation; (b) the penalties, especially administrative fines mentioned in Article 99(1), imposed by Member States for violations of this Regulation; (c) the harmonized standards and common specifications developed to support this Regulation; (d) the number of businesses entering the market after this Regulation takes effect, particularly how many are small and medium-sized enterprises (SMEs). By August 2, 2028, the Commission will evaluate the AI Office to determine if it has enough powers and resources to perform its duties effectively. The Commission will report its findings to the European Parliament and the Council. Additionally, by August 2, 2028, and every four years after that, the Commission will provide a report on the progress of developing standards for energy-efficient general-purpose AI models. This report will assess the need for further actions, including mandatory measures, and will be submitted to the European Parliament and the Council, and made public.
and the possible need for a Union agency to resolve any identified shortcomings. On the basis of the findings, that report shall, where appropriate, be accompanied by a proposal for amendment of this Regulation. The reports shall be made public. 4. The reports referred to in paragraph 2 shall pay specific attention to the following: (a) the status of the financial, technical and human resources of the national competent authorities in order to effectively perform the tasks assigned to them under this Regulation; (b) the state of penalties, in particular administrative fines as referred to in Article 99(1), applied by Member States for infringements of this Regulation; (c) adopted harmonised standards and common specifications developed to support this Regulation; (d) the number of undertakings that enter the market after the entry into application of this Regulation, and how many of them are SMEs. 5. By 2 August 2028, the Commission shall evaluate the functioning of the AI Office, whether the AI Office has been given sufficient powers and competences to fulfil its tasks, and whether it would be relevant and needed for the proper implementation and enforcement of this Regulation to upgrade the AI Office and its enforcement competences and to increase its resources. The Commission shall submit a report on its evaluation to the European Parliament and to the Council. 6. By 2 August 2028 and every four years thereafter, the Commission shall submit a report on the review of the progress on the development of standardisation deliverables on the energy-efficient development of general-purpose AI models, and asses the need for further measures or actions, including binding measures or actions. The report shall be submitted to the European Parliament and to the Council, and it shall be made public. 7.
Show original text
The report will focus on the energy-efficient development of general-purpose AI models and will evaluate whether further actions, including mandatory measures, are needed. This report will be submitted to the European Parliament and the Council, and it will be made public. By August 2, 2028, and every three years after that, the Commission will assess how effective voluntary codes of conduct are in promoting the requirements for AI systems that are not classified as high-risk, as well as any additional requirements related to environmental sustainability. To support this process, the Board, Member States, and national authorities must provide the Commission with requested information promptly. In conducting these evaluations, the Commission will consider the views and findings from the Board, the European Parliament, the Council, and other relevant organizations. If necessary, the Commission will propose amendments to this Regulation, especially in response to technological advancements, the impact of AI on health and safety, fundamental rights, and the overall progress in the information society.
energy-efficient development of general-purpose AI models, and asses the need for further measures or actions, including binding measures or actions. The report shall be submitted to the European Parliament and to the Council, and it shall be made public. 7. By 2 August 2028 and every three years thereafter, the Commission shall evaluate the impact and effectiveness of voluntary codes of conduct to foster the application of the requirements set out in Chapter III, Section 2 for AI systems other than high-risk AI systems and possibly other additional requirements for AI systems other than high-risk AI systems, including as regards environmental sustainability. 8. For the purposes of paragraphs 1 to 7, the Board, the Member States and national competent authorities shall provide the Commission with information upon its request and without undue delay. 9. In carrying out the evaluations and reviews referred to in paragraphs 1 to 7, the Commission shall take into account the positions and findings of the Board, of the European Parliament, of the Council, and of other relevant bodies or sources. EN OJ L, 12.7.2024 122/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 10. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular taking into account developments in technology, the effect of AI systems on health and safety, and on fundamental rights, and in light of the state of progress in the information society. 11.
Show original text
Proposals will be submitted to update this Regulation, especially considering advancements in technology, the impact of AI systems on health and safety, and fundamental rights, as well as the current state of the information society. To support the evaluations mentioned in paragraphs 1 to 7 of this Article, the AI Office will create a fair and inclusive method for assessing risk levels based on the criteria in the relevant Articles. This includes adding new systems to: (a) the list in Annex III, which may involve expanding existing categories or adding new ones; (b) the list of prohibited practices in Article 5; and (c) the list of AI systems that need more transparency measures as per Article 50. Any changes to this Regulation, as mentioned in paragraph 10, or related delegated or implementing acts, that affect specific Union harmonization laws listed in Section B of Annex I, will consider the unique regulations of each sector, along with the current governance, compliance assessment, and enforcement mechanisms and authorities in place. By August 2, 2031, the Commission will evaluate how this Regulation has been enforced and report its findings to the European Parliament, the Council, and the European Economic and Social Committee, reflecting on the initial years of the Regulation's application. Based on the results, this report may include suggestions for amending the Regulation regarding enforcement structure and the potential need for a Union agency to address any identified issues. This Regulation will take effect 20 days after its publication in the Official Journal of the European Union and will be applicable starting August 2, 2026.
, submit appropriate proposals to amend this Regulation, in particular taking into account developments in technology, the effect of AI systems on health and safety, and on fundamental rights, and in light of the state of progress in the information society. 11. To guide the evaluations and reviews referred to in paragraphs 1 to 7 of this Article, the AI Office shall undertake to develop an objective and participative methodology for the evaluation of risk levels based on the criteria outlined in the relevant Articles and the inclusion of new systems in: (a) the list set out in Annex III, including the extension of existing area headings or the addition of new area headings in that Annex; (b) the list of prohibited practices set out in Article 5; and (c) the list of AI systems requiring additional transparency measures pursuant to Article 50. 12. Any amendment to this Regulation pursuant to paragraph 10, or relevant delegated or implementing acts, which concerns sectoral Union harmonisation legislation listed in Section B of Annex I shall take into account the regulatory specificities of each sector, and the existing governance, conformity assessment and enforcement mechanisms and authorities established therein. 13. By 2 August 2031, the Commission shall carry out an assessment of the enforcement of this Regulation and shall report on it to the European Parliament, the Council and the European Economic and Social Committee, taking into account the first years of application of this Regulation. On the basis of the findings, that report shall, where appropriate, be accompanied by a proposal for amendment of this Regulation with regard to the structure of enforcement and the need for a Union agency to resolve any identified shortcomings. Article 113 Entry into force and application This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 2 August 2026.
Show original text
Article 113 outlines the entry into force and application of this Regulation. It will take effect 20 days after its publication in the Official Journal of the European Union and will be applicable from 2 August 2026. However, specific chapters will have different start dates: Chapters I and II will apply from 2 February 2025; Chapter III Section 4, Chapter V, Chapter VII, Chapter XII, and Article 78 will apply from 2 August 2025, except for Article 101; and Article 6(1) and its related obligations will apply from 2 August 2027. This Regulation is binding and directly applicable in all Member States. It was finalized in Brussels on 13 June 2024, signed by R. Metsola, President of the European Parliament, and M. Michel, President of the Council. The document reference is OJ L, 12.7.2024, with the ELI link provided. ANNEX I lists Union harmonisation legislation based on the New Legislative Framework, including: 1. Directive 2006/42/EC on machinery, amending Directive 95/16/EC; 2. Directive 2009/48/EC on toy safety.
any identified shortcomings. Article 113 Entry into force and application This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from 2 August 2026. However: (a) Chapters I and II shall apply from 2 February 2025; (b) Chapter III Section 4, Chapter V, Chapter VII and Chapter XII and Article 78 shall apply from 2 August 2025, with the exception of Article 101; (c) Article 6(1) and the corresponding obligations in this Regulation shall apply from 2 August 2027. This Regulation shall be binding in its entirety and directly applicable in all Member States. Done at Brussels, 13 June 2024. For the European Parliament The President R. METSOLA For the Council The President M. MICHEL OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 123/144 ANNEX I List of Union harmonisation legislation Section A. List of Union harmonisation legislation based on the New Legislative Framework 1. Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (OJ L 157, 9.6.2006, p. 24); 2. Directive 2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1); 3.
Show original text
The following directives were established by the European Parliament and Council: 1. Directive 2009/48/EC on toy safety, dated June 18, 2009 (Official Journal L 170, June 30, 2009, page 1). 2. Directive 2013/53/EU on recreational craft and personal watercraft, dated November 20, 2013, which repeals Directive 94/25/EC (Official Journal L 354, December 28, 2013, page 90). 3. Directive 2014/33/EU on the harmonization of laws regarding lifts and safety components for lifts, dated February 26, 2014 (Official Journal L 96, March 29, 2014, page 251). 4. Directive 2014/34/EU on the harmonization of laws for equipment and protective systems used in potentially explosive atmospheres, dated February 26, 2014 (Official Journal L 96, March 29, 2014, page 309). 5. Directive 2014/53/EU on the harmonization of laws for the market availability of radio equipment, dated April 16, 2014, which repeals Directive 1999/5/EC (Official Journal L 153, May 22, 2014, page 62). 6. Directive 2014/68/EU on the harmonization of laws for the market availability of pressure equipment, dated May 15, 2014 (Official Journal L 189, June 27, 2014, page 164).
2009/48/EC of the European Parliament and of the Council of 18 June 2009 on the safety of toys (OJ L 170, 30.6.2009, p. 1); 3. Directive 2013/53/EU of the European Parliament and of the Council of 20 November 2013 on recreational craft and personal watercraft and repealing Directive 94/25/EC (OJ L 354, 28.12.2013, p. 90); 4. Directive 2014/33/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to lifts and safety components for lifts (OJ L 96, 29.3.2014, p. 251); 5. Directive 2014/34/EU of the European Parliament and of the Council of 26 February 2014 on the harmonisation of the laws of the Member States relating to equipment and protective systems intended for use in potentially explosive atmospheres (OJ L 96, 29.3.2014, p. 309); 6. Directive 2014/53/EU of the European Parliament and of the Council of 16 April 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of radio equipment and repealing Directive 1999/5/EC (OJ L 153, 22.5.2014, p. 62); 7. Directive 2014/68/EU of the European Parliament and of the Council of 15 May 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of pressure equipment (OJ L 189, 27.6.2014, p. 164); 8.
Show original text
On 15 May 2014, a regulation was established to harmonize the laws of EU Member States regarding the market availability of pressure equipment (Official Journal L 189, 27 June 2014, page 164). Additionally, several regulations were enacted on 9 March 2016: Regulation (EU) 2016/424 concerning cableway installations, which replaced Directive 2000/9/EC (Official Journal L 81, 31 March 2016, page 1); Regulation (EU) 2016/425 on personal protective equipment, which replaced Council Directive 89/686/EEC (Official Journal L 81, 31 March 2016, page 51); and Regulation (EU) 2016/426 on appliances that burn gaseous fuels, which replaced Directive 2009/142/EC (Official Journal L 81, 31 March 2016, page 99). Furthermore, on 5 April 2017, Regulation (EU) 2017/745 was adopted regarding medical devices, which amended Directive 2001/83/EC, Regulation (EC) No 178/2002, and Regulation (EC) No 1223/2009, while repealing Council Directives 90/385/EEC and 93/42/EEC (Official Journal L 117, 5 May 2017, page 1).
15 May 2014 on the harmonisation of the laws of the Member States relating to the making available on the market of pressure equipment (OJ L 189, 27.6.2014, p. 164); 8. Regulation (EU) 2016/424 of the European Parliament and of the Council of 9 March 2016 on cableway installations and repealing Directive 2000/9/EC (OJ L 81, 31.3.2016, p. 1); 9. Regulation (EU) 2016/425 of the European Parliament and of the Council of 9 March 2016 on personal protective equipment and repealing Council Directive 89/686/EEC (OJ L 81, 31.3.2016, p. 51); 10. Regulation (EU) 2016/426 of the European Parliament and of the Council of 9 March 2016 on appliances burning gaseous fuels and repealing Directive 2009/142/EC (OJ L 81, 31.3.2016, p. 99); 11. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1); 12.
Show original text
Regulation 1223/2009, which was published in the Official Journal (OJ L 117, 5.5.2017, p. 1), repeals Council Directives 90/385/EEC and 93/42/EEC. Additionally, Regulation (EU) 2017/746, enacted by the European Parliament and Council on April 5, 2017, addresses in vitro diagnostic medical devices and replaces Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176). Other Union harmonization legislation includes: 1. Regulation (EC) No 300/2008, which establishes common rules for civil aviation security and repeals Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72). 2. Regulation (EU) No 168/2013, concerning the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52). 3. Regulation (EU) No 167/2013, which focuses on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1).
1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, 5.5.2017, p. 1); 12. Regulation (EU) 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, 5.5.2017, p. 176). Section B. List of other Union harmonisation legislation 13. Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72); 14. Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52); 15. Regulation (EU) No 167/2013 of the European Parliament and of the Council of 5 February 2013 on the approval and market surveillance of agricultural and forestry vehicles (OJ L 60, 2.3.2013, p. 1); EN OJ L, 12.7.2024 124/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 16.
Show original text
In 2014, the European Parliament and Council issued Directive 2014/90/EU on marine equipment, which replaced Council Directive 96/98/EC. In 2016, they introduced Directive (EU) 2016/797 regarding the interoperability of the rail system in the EU. Then, in 2018, Regulation (EU) 2018/858 was enacted to oversee the approval and market surveillance of motor vehicles, trailers, and related components, updating previous regulations and replacing Directive 2007/46/EC. Finally, on November 27, 2019, Regulation (EU) 2019/2144 was adopted, setting type-approval requirements for motor vehicles and trailers, focusing on safety for vehicle occupants and vulnerable road users, while amending Regulation (EU) 2018/858 and repealing several earlier regulations.
.2013, p. 1); EN OJ L, 12.7.2024 124/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 16. Directive 2014/90/EU of the European Parliament and of the Council of 23 July 2014 on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, 28.8.2014, p. 146); 17. Directive (EU) 2016/797 of the European Parliament and of the Council of 11 May 2016 on the interoperability of the rail system within the European Union (OJ L 138, 26.5.2016, p. 44); 18. Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018, p. 1); 19. Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661
Show original text
This document updates Regulation (EU) 2018/858 from the European Parliament and Council, and it cancels several previous regulations: (EC) No 78/2009, (EC) No 79/2009, (EC) No 661/2009, and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012, and (EU) 2015/166. Additionally, it addresses Regulation (EU) 2018/1139, which was established on July 4, 2018, regarding common rules in civil aviation and the creation of the European Union Aviation Safety Agency. This regulation also amends Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014, and Directives 2014/30/EU and 2014/53/EU, while repealing Regulations (EC) No 552/2004 and (EC) No 216/2008.
amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, 16.12.2019, p. 1); 20. Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and
Show original text
The regulations 2014/30/EU and 2014/53/EU from the European Parliament and Council replace previous regulations (EC) No 552/2004, (EC) No 216/2008, and Council Regulation (EEC) No 3922/91. These regulations specifically address the design, production, and marketing of unmanned aircraft, including their engines, propellers, parts, and remote control equipment. This information is published in the Official Journal (OJ L 212, 22.8.2018, p. 1). ANNEX II lists the criminal offenses mentioned in Article 5(1), first subparagraph, point (h)(iii), which include: - Terrorism - Human trafficking - Sexual exploitation of children and child pornography - Illegal drug trafficking - Illegal trafficking of weapons, munitions, or explosives - Murder and serious bodily harm - Illegal trade in human organs or tissues - Illegal trafficking of nuclear or radioactive materials - Kidnapping or hostage-taking - Crimes under the jurisdiction of the International Criminal Court - Unlawful seizure of aircraft or ships - Rape - Environmental crimes - Organized or armed robbery - Sabotage - Participation in a criminal organization involved in any of the above offenses.
/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 22.8.2018, p. 1), in so far as the design, production and placing on the market of aircrafts referred to in Article 2(1), points (a) and (b) thereof, where it concerns unmanned aircraft and their engines, propellers, parts and equipment to control them remotely, are concerned. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 125/144 ANNEX II List of criminal offences referred to in Article 5(1), first subparagraph, point (h)(iii) Criminal offences referred to in Article 5(1), first subparagraph, point (h)(iii): — terrorism, — trafficking in human beings, — sexual exploitation of children, and child pornography, — illicit trafficking in narcotic drugs or psychotropic substances, — illicit trafficking in weapons, munitions or explosives, — murder, grievous bodily injury, — illicit trade in human organs or tissue, — illicit trafficking in nuclear or radioactive materials, — kidnapping, illegal restraint or hostage-taking, — crimes within the jurisdiction of the International Criminal Court, — unlawful seizure of aircraft or ships, — rape, — environmental crime, — organised or armed robbery, — sabotage, — participation in a criminal organisation involved in one or more of the offences listed above. EN OJ L, 12.7.
Show original text
The following actions are considered serious crimes: seizure of aircraft or ships, rape, environmental crime, organized or armed robbery, sabotage, and involvement in a criminal organization related to any of these offenses. According to Article 6(2), high-risk AI systems include those in the following categories: 1. Biometrics (where allowed by law): a. Remote biometric identification systems (excluding those used solely for verifying a person's identity). b. AI systems for biometric categorization based on sensitive attributes. c. AI systems for emotion recognition. 2. Critical infrastructure: AI systems used for safety in managing critical digital infrastructure, road traffic, or supplying water, gas, heating, or electricity. 3. Education and vocational training: a. AI systems for determining access to educational institutions. b. AI systems for evaluating learning outcomes and guiding the learning process. c. AI systems for assessing the appropriate education level for individuals in educational institutions.
seizure of aircraft or ships, — rape, — environmental crime, — organised or armed robbery, — sabotage, — participation in a criminal organisation involved in one or more of the offences listed above. EN OJ L, 12.7.2024 126/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj ANNEX III High-risk AI systems referred to in Article 6(2) High-risk AI systems pursuant to Article 6(2) are the AI systems listed in any of the following areas: 1. Biometrics, in so far as their use is permitted under relevant Union or national law: (a) remote biometric identification systems. This shall not include AI systems intended to be used for biometric verification the sole purpose of which is to confirm that a specific natural person is the person he or she claims to be; (b) AI systems intended to be used for biometric categorisation, according to sensitive or protected attributes or characteristics based on the inference of those attributes or characteristics; (c) AI systems intended to be used for emotion recognition. 2. Critical infrastructure: AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity. 3. Education and vocational training: (a) AI systems intended to be used to determine access or admission or to assign natural persons to educational and vocational training institutions at all levels; (b) AI systems intended to be used to evaluate learning outcomes, including when those outcomes are used to steer the learning process of natural persons in educational and vocational training institutions at all levels; (c) AI systems intended to be used for the purpose of assessing the appropriate level of education that an individual will receive or will be able to access, in the context of or within educational and vocational training institutions at all levels; (d) AI systems intended
Show original text
AI systems are designed for various purposes in education, employment, and access to essential services. In education, they assess the appropriate level of education for individuals and monitor student behavior during tests. In employment, these systems help with recruiting by placing job ads, analyzing applications, and evaluating candidates. They also make decisions about work relationships, such as promotions or terminations, and monitor employee performance. For essential services, AI systems evaluate eligibility for public assistance benefits, including healthcare, and determine creditworthiness, except for fraud detection. They are also used for risk assessment and pricing in life and health insurance.
AI systems intended to be used for the purpose of assessing the appropriate level of education that an individual will receive or will be able to access, in the context of or within educational and vocational training institutions at all levels; (d) AI systems intended to be used for monitoring and detecting prohibited behaviour of students during tests in the context of or within educational and vocational training institutions at all levels. 4. Employment, workers’ management and access to self-employment: (a) AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates; (b) AI systems intended to be used to make decisions affecting terms of work-related relationships, the promotion or termination of work-related contractual relationships, to allocate tasks based on individual behaviour or personal traits or characteristics or to monitor and evaluate the performance and behaviour of persons in such relationships. 5. Access to and enjoyment of essential private services and essential public services and benefits: (a) AI systems intended to be used by public authorities or on behalf of public authorities to evaluate the eligibility of natural persons for essential public assistance benefits and services, including healthcare services, as well as to grant, reduce, revoke, or reclaim such benefits and services; (b) AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud; (c) AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance; OJ L, 12.7.
Show original text
AI systems are excluded from certain regulations if they are used for: (a) detecting financial fraud; (b) assessing risk and pricing for life and health insurance for individuals; (c) evaluating and prioritizing emergency calls and dispatching emergency services like police, firefighters, and medical aid, including patient triage systems. Additionally, law enforcement can use AI systems under relevant laws for: (a) assessing the risk of someone becoming a victim of crime; (b) using polygraphs or similar tools; (c) evaluating the reliability of evidence during criminal investigations or prosecutions; (d) assessing the risk of an individual committing or re-committing a crime, based on more than just profiling.
exception of AI systems used for the purpose of detecting financial fraud; (c) AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance; OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 127/144 (d) AI systems intended to evaluate and classify emergency calls by natural persons or to be used to dispatch, or to establish priority in the dispatching of, emergency first response services, including by police, firefighters and medical aid, as well as of emergency healthcare patient triage systems. 6. Law enforcement, in so far as their use is permitted under relevant Union or national law: (a) AI systems intended to be used by or on behalf of law enforcement authorities, or by Union institutions, bodies, offices or agencies in support of law enforcement authorities or on their behalf to assess the risk of a natural person becoming the victim of criminal offences; (b) AI systems intended to be used by or on behalf of law enforcement authorities or by Union institutions, bodies, offices or agencies in support of law enforcement authorities as polygraphs or similar tools; (c) AI systems intended to be used by or on behalf of law enforcement authorities, or by Union institutions, bodies, offices or agencies, in support of law enforcement authorities to evaluate the reliability of evidence in the course of the investigation or prosecution of criminal offences; (d) AI systems intended to be used by law enforcement authorities or on their behalf or by Union institutions, bodies, offices or agencies in support of law enforcement authorities for assessing the risk of a natural person offending or re-offending not solely on the basis of the profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680, or to assess personality traits and characteristics or past
Show original text
AI systems cannot be used to determine if a person is likely to commit a crime based solely on their profile, personality traits, or past criminal behavior. These systems are intended for use by law enforcement or EU institutions to help in detecting, investigating, or prosecuting crimes, as outlined in Article 3(4) of Directive (EU) 2016/680. In the context of migration, asylum, and border control, AI systems can be used by public authorities or EU institutions under relevant laws for the following purposes: (a) As polygraphs or similar tools. (b) To assess risks, including security, irregular migration, or health risks, for individuals entering or already in a Member State. (c) To assist in reviewing applications for asylum, visas, or residence permits, including evaluating the reliability of evidence provided by applicants. (d) To help detect, recognize, or identify individuals in migration, asylum, or border control processes.
person offending or re-offending not solely on the basis of the profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680, or to assess personality traits and characteristics or past criminal behaviour of natural persons or groups; (e) AI systems intended to be used by or on behalf of law enforcement authorities or by Union institutions, bodies, offices or agencies in support of law enforcement authorities for the profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 in the course of the detection, investigation or prosecution of criminal offences. 7. Migration, asylum and border control management, in so far as their use is permitted under relevant Union or national law: (a) AI systems intended to be used by or on behalf of competent public authorities or by Union institutions, bodies, offices or agencies as polygraphs or similar tools; (b) AI systems intended to be used by or on behalf of competent public authorities or by Union institutions, bodies, offices or agencies to assess a risk, including a security risk, a risk of irregular migration, or a health risk, posed by a natural person who intends to enter or who has entered into the territory of a Member State; (c) AI systems intended to be used by or on behalf of competent public authorities or by Union institutions, bodies, offices or agencies to assist competent public authorities for the examination of applications for asylum, visa or residence permits and for associated complaints with regard to the eligibility of the natural persons applying for a status, including related assessments of the reliability of evidence; (d) AI systems intended to be used by or on behalf of competent public authorities, or by Union institutions, bodies, offices or agencies, in the context of migration, asylum or border control management, for the purpose of detecting, recognising or identifying natural persons,
Show original text
AI systems can be used by public authorities or EU institutions for managing migration, asylum, or border control. Their purpose is to detect, recognize, or identify individuals, but they do not include checking travel documents. For the administration of justice and democratic processes: (a) AI systems may assist judicial authorities in researching facts and laws, and applying them to specific cases, or in alternative dispute resolution. (b) AI systems should not be used to influence election outcomes or voter behavior directly. However, tools that help organize or manage political campaigns without directly exposing individuals to AI outputs are excluded from this restriction. ANNEX IV outlines the technical documentation required in Article 11(1), which must include specific information relevant to the AI system.
used by or on behalf of competent public authorities, or by Union institutions, bodies, offices or agencies, in the context of migration, asylum or border control management, for the purpose of detecting, recognising or identifying natural persons, with the exception of the verification of travel documents. 8. Administration of justice and democratic processes: (a) AI systems intended to be used by a judicial authority or on their behalf to assist a judicial authority in researching and interpreting facts and the law and in applying the law to a concrete set of facts, or to be used in a similar way in alternative dispute resolution; EN OJ L, 12.7.2024 128/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (b) AI systems intended to be used for influencing the outcome of an election or referendum or the voting behaviour of natural persons in the exercise of their vote in elections or referenda. This does not include AI systems to the output of which natural persons are not directly exposed, such as tools used to organise, optimise or structure political campaigns from an administrative or logistical point of view. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 129/144 ANNEX IV Technical documentation referred to in Article 11(1) The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system: 1.
Show original text
ANNEX IV Technical Documentation Required by Article 11(1) The technical documentation mentioned in Article 11(1) must include at least the following information relevant to the AI system: 1. A general description of the AI system, which should cover: (a) Its intended purpose, the provider's name, and the system version in relation to previous versions; (b) How the AI system interacts with hardware or software, including other AI systems, if applicable; (c) Versions of relevant software or firmware and any requirements for updates; (d) The different forms in which the AI system is available, such as software packages, downloads, or APIs; (e) The hardware specifications on which the AI system is designed to operate; (f) If the AI system is part of other products, include photos or illustrations showing the external features, markings, and internal layout of those products; (g) A basic description of the user interface for the deployer; (h) Instructions for the deployer and a basic description of the user interface, if applicable. 2. A detailed description of the AI system's components and its development process, including: (a) The methods and steps taken to develop the AI system, including the use of pre-trained systems or third-party tools, and how these were integrated or modified by the provider; (b) The design specifications of the system, including the overall logic of the AI system and algorithms, key design choices, and the rationale behind them, especially regarding the intended users or groups.
129/144 ANNEX IV Technical documentation referred to in Article 11(1) The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system: 1. A general description of the AI system including: (a) its intended purpose, the name of the provider and the version of the system reflecting its relation to previous versions; (b) how the AI system interacts with, or can be used to interact with, hardware or software, including with other AI systems, that are not part of the AI system itself, where applicable; (c) the versions of relevant software or firmware, and any requirements related to version updates; (d) the description of all the forms in which the AI system is placed on the market or put into service, such as software packages embedded into hardware, downloads, or APIs; (e) the description of the hardware on which the AI system is intended to run; (f) where the AI system is a component of products, photographs or illustrations showing external features, the marking and internal layout of those products; (g) a basic description of the user-interface provided to the deployer; (h) instructions for use for the deployer, and a basic description of the user-interface provided to the deployer, where applicable; 2. A detailed description of the elements of the AI system and of the process for its development, including: (a) the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how those were used, integrated or modified by the provider; (b) the design specifications of the system, namely the general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made, including with regard to persons or groups of persons in respect of who, the system is intended to be used; the main classification choices
Show original text
This document outlines the following key aspects of the AI system: 1. **General Logic and Design Choices**: It explains the overall logic of the AI system and the algorithms used, including the main design decisions, assumptions made about the intended users, classification choices, optimization goals, and the significance of various parameters. It also describes the expected output and its quality, as well as any trade-offs made in technical solutions to meet the requirements in Chapter III, Section 2. 2. **System Architecture**: It details how the software components interact and integrate within the system, along with the computational resources used for developing, training, testing, and validating the AI system. 3. **Data Requirements**: It includes information about the data needed for the system, such as datasheets that describe the training methods and datasets used. This section covers the characteristics of the datasets, their origin, how they were selected, labeling procedures for supervised learning, and data cleaning methods like outlier detection. 4. **Human Oversight Measures**: It assesses the necessary human oversight measures as per Article 14, including technical measures to help users interpret the AI outputs, in line with Article 13(3), point (d). 5. **Pre-determined Changes**: If applicable, it provides a detailed description of any planned changes to the AI system and its performance, along with information on technical solutions to ensure ongoing compliance with the requirements in Chapter III, Section 2. 6. **Validation and Testing Procedures**: It outlines the validation and testing processes used, including details about the validation and testing data and their characteristics, as well as the metrics employed to measure accuracy, robustness, and compliance with relevant requirements in Chapter III, Section 2.
general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made, including with regard to persons or groups of persons in respect of who, the system is intended to be used; the main classification choices; what the system is designed to optimise for, and the relevance of the different parameters; the description of the expected output and output quality of the system; the decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Chapter III, Section 2; (c) the description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; the computational resources used to develop, train, test and validate the AI system; (d) where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used, including a general description of these data sets, information about their provenance, scope and main characteristics; how the data was obtained and selected; labelling procedures (e.g. for supervised learning), data cleaning methodologies (e.g. outliers detection); (e) assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the deployers, in accordance with Article 13(3), point (d); (f) where applicable, a detailed description of pre-determined changes to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system with the relevant requirements set out in Chapter III, Section 2; (g) the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness and compliance with other relevant requirements set out in Chapter III, Section 2
Show original text
2; (g) Information about the validation and testing procedures, including details on the data used for validation and testing, their main characteristics, and the metrics for measuring accuracy, robustness, and compliance with requirements in Chapter III, Section 2. This includes assessing potential discriminatory impacts, along with test logs and reports that are dated and signed by responsible individuals, especially regarding any pre-determined changes mentioned in point (f); (h) Cybersecurity measures implemented; 3. Detailed information on monitoring, functioning, and control of the AI system, focusing on its performance capabilities and limitations, including accuracy levels for specific individuals or groups it is designed for, and the overall expected accuracy for its intended use. This also covers potential unintended consequences and risks to health, safety, fundamental rights, and discrimination related to the AI system's purpose, as well as necessary human oversight measures as per Article 14, including technical measures to help users interpret AI outputs and specifications for input data where applicable; 4. An evaluation of how suitable the performance metrics are for the specific AI system; 5. A comprehensive description of the risk management system as outlined in Article 9; 6. An account of significant changes made by the provider to the system throughout its lifecycle;
2; (g) the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness and compliance with other relevant requirements set out in Chapter III, Section 2, as well as potentially discriminatory impacts; test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to under point (f); EN OJ L, 12.7.2024 130/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj (h) cybersecurity measures put in place; 3. Detailed information about the monitoring, functioning and control of the AI system, in particular with regard to: its capabilities and limitations in performance, including the degrees of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose; the foreseeable unintended outcomes and sources of risks to health and safety, fundamental rights and discrimination in view of the intended purpose of the AI system; the human oversight measures needed in accordance with Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the deployers; specifications on input data, as appropriate; 4. A description of the appropriateness of the performance metrics for the specific AI system; 5. A detailed description of the risk management system in accordance with Article 9; 6. A description of relevant changes made by the provider to the system through its lifecycle; 7.
Show original text
1. An evaluation of how suitable the performance metrics are for the specific AI system. 2. A thorough explanation of the risk management system as required by Article 9. 3. A summary of any significant changes made to the system by the provider throughout its lifecycle. 4. A list of harmonized standards that have been fully or partially applied, with references published in the Official Journal of the European Union. If no harmonized standards were used, a detailed explanation of the alternative solutions adopted to meet the requirements in Chapter III, Section 2, along with a list of other relevant standards and technical specifications. 5. A copy of the EU declaration of conformity mentioned in Article 47. 6. A comprehensive description of the system for evaluating the AI system's performance after it has been released to the market, in line with Article 72, including the post-market monitoring plan outlined in Article 72(3). ANNEX V EU Declaration of Conformity The EU declaration of conformity referenced in Article 47 must include the following information: 1. The name and type of the AI system, along with any additional clear references for identification and traceability. 2. The name and address of the provider or their authorized representative, if applicable. 3. A statement confirming that the EU declaration of conformity is issued solely under the provider's responsibility. 4. A statement confirming that the AI system complies with this Regulation and any other relevant Union laws that necessitate the issuance of the EU declaration of conformity.
appropriateness of the performance metrics for the specific AI system; 5. A detailed description of the risk management system in accordance with Article 9; 6. A description of relevant changes made by the provider to the system through its lifecycle; 7. A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Chapter III, Section 2, including a list of other relevant standards and technical specifications applied; 8. A copy of the EU declaration of conformity referred to in Article 47; 9. A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 72, including the post-market monitoring plan referred to in Article 72(3). OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 131/144 ANNEX V EU declaration of conformity The EU declaration of conformity referred to in Article 47, shall contain all of the following information: 1. AI system name and type and any additional unambiguous reference allowing the identification and traceability of the AI system; 2. The name and address of the provider or, where applicable, of their authorised representative; 3. A statement that the EU declaration of conformity referred to in Article 47 is issued under the sole responsibility of the provider; 4. A statement that the AI system is in conformity with this Regulation and, if applicable, with any other relevant Union law that provides for the issuing of the EU declaration of conformity referred to in Article 47; 5.
Show original text
The provider must include the following in their declaration: 1. A statement confirming that the AI system meets this Regulation and any other relevant EU laws that require an EU declaration of conformity as mentioned in Article 47. 2. If the AI system processes personal data, a statement confirming compliance with Regulations (EU) 2016/679 and (EU) 2018/1725, as well as Directive (EU) 2016/680. 3. References to any relevant harmonized standards or common specifications used to declare conformity. 4. If applicable, the name and identification number of the notified body, a description of the conformity assessment procedure conducted, and details of the issued certificate. 5. The place and date of the declaration's issue, the name and role of the person who signed it, who they represent, and their signature. ANNEX VI outlines the conformity assessment procedure based on internal control: 1. This procedure is based on points 2, 3, and 4. 2. The provider checks that their quality management system complies with Article 17. 3. The provider reviews the technical documentation to ensure the AI system meets the essential requirements in Chapter III, Section 2. 4. The provider verifies that the design and development process of the AI system and its post-market monitoring, as mentioned in Article 72, align with the technical documentation.
the provider; 4. A statement that the AI system is in conformity with this Regulation and, if applicable, with any other relevant Union law that provides for the issuing of the EU declaration of conformity referred to in Article 47; 5. Where an AI system involves the processing of personal data, a statement that that AI system complies with Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680; 6. References to any relevant harmonised standards used or any other common specification in relation to which conformity is declared; 7. Where applicable, the name and identification number of the notified body, a description of the conformity assessment procedure performed, and identification of the certificate issued; 8. The place and date of issue of the declaration, the name and function of the person who signed it, as well as an indication for, or on behalf of whom, that person signed, a signature. EN OJ L, 12.7.2024 132/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj ANNEX VI Conformity assessment procedure based on internal control 1. The conformity assessment procedure based on internal control is the conformity assessment procedure based on points 2, 3 and 4. 2. The provider verifies that the established quality management system is in compliance with the requirements of Article 17. 3. The provider examines the information contained in the technical documentation in order to assess the compliance of the AI system with the relevant essential requirements set out in Chapter III, Section 2. 4. The provider also verifies that the design and development process of the AI system and its post-market monitoring as referred to in Article 72 is consistent with the technical documentation. OJ L, 12.7.
Show original text
Section 2.4 states that the provider must ensure that the design and development of the AI system, as well as its monitoring after it is on the market, aligns with the technical documentation mentioned in Article 72. This information is published in the Official Journal (OJ L, 12.7.2024) and can be found at the provided ELI link. ANNEX VII outlines the conformity assessment process based on evaluating the quality management system and the technical documentation. 1. Introduction: This section describes the conformity assessment procedure based on points 2 to 5. 2. Overview: The quality management system for designing, developing, and testing AI systems, as per Article 17, will be reviewed according to point 3 and monitored as detailed in point 5. The technical documentation for the AI system will be assessed according to point 4. 3. Quality Management System: 3.1. The provider's application must include: (a) The provider's name and address, and if submitted by an authorized representative, their name and address as well. (b) A list of AI systems included under the same quality management system. (c) Technical documentation for each AI system under the same quality management system. (d) Documentation regarding the quality management system that covers all aspects listed in Article 17. (e) A description of procedures to ensure the quality management system remains effective and adequate. (f) A written statement confirming that this application has not been submitted to any other notified body. 3.2. The notified body will assess the quality management system to determine if it meets the requirements outlined in Article 17. The decision will be communicated to the provider or their authorized representative.
, Section 2. 4. The provider also verifies that the design and development process of the AI system and its post-market monitoring as referred to in Article 72 is consistent with the technical documentation. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 133/144 ANNEX VII Conformity based on an assessment of the quality management system and an assessment of the technical documentation 1. Introduction Conformity based on an assessment of the quality management system and an assessment of the technical documentation is the conformity assessment procedure based on points 2 to 5. 2. Overview The approved quality management system for the design, development and testing of AI systems pursuant to Article 17 shall be examined in accordance with point 3 and shall be subject to surveillance as specified in point 5. The technical documentation of the AI system shall be examined in accordance with point 4. 3. Quality management system 3.1. The application of the provider shall include: (a) the name and address of the provider and, if the application is lodged by an authorised representative, also their name and address; (b) the list of AI systems covered under the same quality management system; (c) the technical documentation for each AI system covered under the same quality management system; (d) the documentation concerning the quality management system which shall cover all the aspects listed under Article 17; (e) a description of the procedures in place to ensure that the quality management system remains adequate and effective; (f) a written declaration that the same application has not been lodged with any other notified body. 3.2. The quality management system shall be assessed by the notified body, which shall determine whether it satisfies the requirements referred to in Article 17. The decision shall be notified to the provider or its authorised representative.
Show original text
3.2. The notified body will assess the quality management system to see if it meets the requirements in Article 17. They will inform the provider or their authorized representative of their decision, including the assessment conclusions and reasoning. 3.3. The provider must continue to implement and maintain the approved quality management system to ensure it remains effective. 3.4. If the provider plans to change the approved quality management system or the list of AI systems it covers, they must inform the notified body. The notified body will review the proposed changes to determine if the modified system still meets the requirements from 3.2 or if a reassessment is needed. The provider will be notified of the decision, which will include the conclusions and reasoning behind the assessment. 4. Control of Technical Documentation. 4.1. In addition to the application mentioned in point 3, the provider must submit an application to a notified body of their choice for assessing the technical documentation related to the AI system they want to market or use, which is covered by the quality management system from point 3. 4.2. The application must include: (a) the provider's name and address; (b) a declaration stating that the same application has not been submitted to any other notified body; (c) the technical documentation as outlined in Annex IV. 4.3. The notified body will examine the technical documentation.
any other notified body. 3.2. The quality management system shall be assessed by the notified body, which shall determine whether it satisfies the requirements referred to in Article 17. The decision shall be notified to the provider or its authorised representative. The notification shall contain the conclusions of the assessment of the quality management system and the reasoned assessment decision. 3.3. The quality management system as approved shall continue to be implemented and maintained by the provider so that it remains adequate and efficient. 3.4. Any intended change to the approved quality management system or the list of AI systems covered by the latter shall be brought to the attention of the notified body by the provider. The proposed changes shall be examined by the notified body, which shall decide whether the modified quality management system continues to satisfy the requirements referred to in point 3.2 or whether a reassessment is necessary. The notified body shall notify the provider of its decision. The notification shall contain the conclusions of the examination of the changes and the reasoned assessment decision. 4. Control of the technical documentation. 4.1. In addition to the application referred to in point 3, an application with a notified body of their choice shall be lodged by the provider for the assessment of the technical documentation relating to the AI system which the provider intends to place on the market or put into service and which is covered by the quality management system referred to under point 3. 4.2. The application shall include: (a) the name and address of the provider; (b) a written declaration that the same application has not been lodged with any other notified body; (c) the technical documentation referred to in Annex IV. EN OJ L, 12.7.2024 134/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 4.3. The technical documentation shall be examined by the notified body.
Show original text
On July 12, 2024, the technical documentation for AI systems must be reviewed by a notified body. This body will have full access to the training, validation, and testing data sets used, as needed, including remote access through APIs or other technical tools, while ensuring security. If the notified body needs more information or tests to properly assess the AI system's compliance with the requirements in Chapter III, Section 2, it can request additional evidence or conduct its own tests if the initial tests are unsatisfactory. If necessary, after exhausting other verification methods, the notified body can also access the AI system's training and trained models, including relevant parameters, while respecting intellectual property and trade secret laws. The notified body will inform the provider or their representative of its decision, including the assessment conclusions. If the AI system meets the requirements, the notified body will issue a Union technical documentation assessment certificate.
L, 12.7.2024 134/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj 4.3. The technical documentation shall be examined by the notified body. Where relevant, and limited to what is necessary to fulfil its tasks, the notified body shall be granted full access to the training, validation, and testing data sets used, including, where appropriate and subject to security safeguards, through API or other relevant technical means and tools enabling remote access. 4.4. In examining the technical documentation, the notified body may require that the provider supply further evidence or carry out further tests so as to enable a proper assessment of the conformity of the AI system with the requirements set out in Chapter III, Section 2. Where the notified body is not satisfied with the tests carried out by the provider, the notified body shall itself directly carry out adequate tests, as appropriate. 4.5. Where necessary to assess the conformity of the high-risk AI system with the requirements set out in Chapter III, Section 2, after all other reasonable means to verify conformity have been exhausted and have proven to be insufficient, and upon a reasoned request, the notified body shall also be granted access to the training and trained models of the AI system, including its relevant parameters. Such access shall be subject to existing Union law on the protection of intellectual property and trade secrets. 4.6. The decision of the notified body shall be notified to the provider or its authorised representative. The notification shall contain the conclusions of the assessment of the technical documentation and the reasoned assessment decision. Where the AI system is in conformity with the requirements set out in Chapter III, Section 2, the notified body shall issue a Union technical documentation assessment certificate.
Show original text
This document summarizes the findings from the assessment of the technical documentation and the decision made based on that assessment. If the AI system meets the requirements outlined in Chapter III, Section 2, the notified body will issue a Union technical documentation assessment certificate. This certificate will include the provider's name and address, the assessment conclusions, any conditions for its validity, and details needed to identify the AI system. The certificate and its attachments will provide all necessary information to evaluate the AI system's compliance and to monitor it during use, if applicable. If the AI system does not meet the requirements in Chapter III, Section 2, the notified body will deny the issuance of the certificate and will inform the applicant with detailed reasons for the refusal. If the AI system fails to meet the data quality requirements for training, it must be retrained before applying for a new conformity assessment. In this case, the notified body's refusal will include specific reasons related to the quality of the training data. Any changes to the AI system that might affect its compliance or intended purpose must be assessed by the notified body that issued the certificate. The provider must notify this body of any planned changes or if they become aware of any changes that have occurred.
contain the conclusions of the assessment of the technical documentation and the reasoned assessment decision. Where the AI system is in conformity with the requirements set out in Chapter III, Section 2, the notified body shall issue a Union technical documentation assessment certificate. The certificate shall indicate the name and address of the provider, the conclusions of the examination, the conditions (if any) for its validity and the data necessary for the identification of the AI system. The certificate and its annexes shall contain all relevant information to allow the conformity of the AI system to be evaluated, and to allow for control of the AI system while in use, where applicable. Where the AI system is not in conformity with the requirements set out in Chapter III, Section 2, the notified body shall refuse to issue a Union technical documentation assessment certificate and shall inform the applicant accordingly, giving detailed reasons for its refusal. Where the AI system does not meet the requirement relating to the data used to train it, re-training of the AI system will be needed prior to the application for a new conformity assessment. In this case, the reasoned assessment decision of the notified body refusing to issue the Union technical documentation assessment certificate shall contain specific considerations on the quality data used to train the AI system, in particular on the reasons for non-compliance. 4.7. Any change to the AI system that could affect the compliance of the AI system with the requirements or its intended purpose shall be assessed by the notified body which issued the Union technical documentation assessment certificate. The provider shall inform such notified body of its intention to introduce any of the abovementioned changes, or if it otherwise becomes aware of the occurrence of such changes.
Show original text
The notified body that issued the Union technical documentation assessment certificate must evaluate any changes the provider plans to make. The provider must inform this notified body about these changes or if they become aware of any changes. The notified body will determine if the changes need a new conformity assessment according to Article 43(4) or if they can be handled with a supplement to the existing certificate. If a supplement is issued, the notified body will assess the changes, inform the provider of its decision, and provide the supplement if the changes are approved. 5. Surveillance of the approved quality management system: 5.1. The purpose of the surveillance by the notified body is to ensure that the provider complies with the approved quality management system. 5.2. The provider must allow the notified body to access the locations where the design, development, and testing of the AI systems occur and share all necessary information. 5.3. The notified body will conduct regular audits to confirm that the provider is maintaining and applying the quality management system and will provide an audit report. During these audits, the notified body may also perform additional tests on the AI systems that have received a Union technical documentation assessment certificate.
be assessed by the notified body which issued the Union technical documentation assessment certificate. The provider shall inform such notified body of its intention to introduce any of the abovementioned changes, or if it otherwise becomes aware of the occurrence of such changes. The intended changes shall be assessed by the notified body, which shall decide whether those changes require a new conformity assessment in accordance with Article 43(4) or whether they could be addressed by means of a supplement to the Union technical documentation assessment certificate. In the latter case, the notified body shall assess the changes, notify the provider of its decision and, where the changes are approved, issue to the provider a supplement to the Union technical documentation assessment certificate. 5. Surveillance of the approved quality management system. 5.1. The purpose of the surveillance carried out by the notified body referred to in Point 3 is to make sure that the provider duly complies with the terms and conditions of the approved quality management system. 5.2. For assessment purposes, the provider shall allow the notified body to access the premises where the design, development, testing of the AI systems is taking place. The provider shall further share with the notified body all necessary information. 5.3. The notified body shall carry out periodic audits to make sure that the provider maintains and applies the quality management system and shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which a Union technical documentation assessment certificate was issued. OJ L, 12.7.
Show original text
The provider must give an audit report. During these audits, the notified body can perform extra tests on the AI systems that have received a Union technical documentation assessment certificate. **ANNEX VIII** **Information Required for Registering High-Risk AI Systems (Article 49)** **Section A — Information from Providers of High-Risk AI Systems (Article 49(1))** Providers must submit and keep updated the following information for high-risk AI systems: 1. Provider's name, address, and contact details; 2. If someone else submits information for the provider, their name, address, and contact details; 3. Name, address, and contact details of the authorized representative, if applicable; 4. Trade name of the AI system and any other clear reference for identification and traceability; 5. Description of the AI system's intended purpose and its components and functions; 6. A brief description of the data used by the system and how it operates; 7. Status of the AI system (whether it is on the market, in service, no longer available, or recalled); 8. Type, number, and expiry date of the certificate from the notified body, along with the name or ID number of that body, if applicable; 9. A scanned copy of the certificate mentioned in point 8, if applicable.
shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which a Union technical documentation assessment certificate was issued. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 135/144 ANNEX VIII Information to be submitted upon the registration of high-risk AI systems in accordance with Article 49 Section A — Information to be submitted by providers of high-risk AI systems in accordance with Article 49(1) The following information shall be provided and thereafter kept up to date with regard to high-risk AI systems to be registered in accordance with Article 49(1): 1. The name, address and contact details of the provider; 2. Where submission of information is carried out by another person on behalf of the provider, the name, address and contact details of that person; 3. The name, address and contact details of the authorised representative, where applicable; 4. The AI system trade name and any additional unambiguous reference allowing the identification and traceability of the AI system; 5. A description of the intended purpose of the AI system and of the components and functions supported through this AI system; 6. A basic and concise description of the information used by the system (data, inputs) and its operating logic; 7. The status of the AI system (on the market, or in service; no longer placed on the market/in service, recalled); 8. The type, number and expiry date of the certificate issued by the notified body and the name or identification number of that notified body, where applicable; 9. A scanned copy of the certificate referred to in point 8, where applicable; 10.
Show original text
The following information must be provided for AI systems registered under Article 49(2): 1. The type, number, and expiry date of the certificate from the notified body, along with the name or identification number of that body, if applicable. 2. A scanned copy of the certificate mentioned in point 1, if applicable. 3. The Member States where the AI system has been marketed, put into service, or made available in the EU. 4. A copy of the EU declaration of conformity as stated in Article 47. 5. Electronic instructions for use, except for high-risk AI systems related to law enforcement or migration, asylum, and border control management as listed in Annex III, points 1, 6, and 7. 6. An optional URL for additional information. Section B — Information required from providers of high-risk AI systems: 1. The provider's name, address, and contact details. 2. If someone else submits information on behalf of the provider, their name, address, and contact details. 3. The name, address, and contact details of the authorized representative, if applicable. 4. The trade name of the AI system and any other clear reference for identification and traceability. 5. A description of the AI system's intended purpose. 6. The conditions under Article 6(3) that classify the AI system as not high-risk. 7. A brief summary explaining why the AI system is considered not high-risk according to Article 6(3). 8. The current status of the AI system (whether it is on the market, in service, no longer available, or recalled).
The type, number and expiry date of the certificate issued by the notified body and the name or identification number of that notified body, where applicable; 9. A scanned copy of the certificate referred to in point 8, where applicable; 10. Any Member States in which the AI system has been placed on the market, put into service or made available in the Union; 11. A copy of the EU declaration of conformity referred to in Article 47; 12. Electronic instructions for use; this information shall not be provided for high-risk AI systems in the areas of law enforcement or migration, asylum and border control management referred to in Annex III, points 1, 6 and 7; 13. A URL for additional information (optional). Section B — Information to be submitted by providers of high-risk AI systems in accordance with Article 49(2) The following information shall be provided and thereafter kept up to date with regard to AI systems to be registered in accordance with Article 49(2): 1. The name, address and contact details of the provider; 2. Where submission of information is carried out by another person on behalf of the provider, the name, address and contact details of that person; 3. The name, address and contact details of the authorised representative, where applicable; 4. The AI system trade name and any additional unambiguous reference allowing the identification and traceability of the AI system; 5. A description of the intended purpose of the AI system; 6. The condition or conditions under Article 6(3)based on which the AI system is considered to be not-high-risk; 7. A short summary of the grounds on which the AI system is considered to be not-high-risk in application of the procedure under Article 6(3); 8. The status of the AI system (on the market, or in service; no longer placed on the market/in service, recalled); 9.
Show original text
The AI system is classified as low-risk under Article 6(3). The following information must be provided and kept updated for high-risk AI systems as per Article 49(3): 1. The deployer's name, address, and contact details; 2. The name, address, and contact details of the person submitting information for the deployer; 3. The URL of the AI system's entry in the EU database; 4. A summary of the fundamental rights impact assessment findings as per Article 27; 5. A summary of the data protection impact assessment conducted under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, as specified in Article 26(8) of this Regulation, if applicable.
is considered to be not-high-risk in application of the procedure under Article 6(3); 8. The status of the AI system (on the market, or in service; no longer placed on the market/in service, recalled); 9. Any Member States in which the AI system has been placed on the market, put into service or made available in the Union. EN OJ L, 12.7.2024 136/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj Section C — Information to be submitted by deployers of high-risk AI systems in accordance with Article 49(3) The following information shall be provided and thereafter kept up to date with regard to high-risk AI systems to be registered in accordance with Article 49(3): 1. The name, address and contact details of the deployer; 2. The name, address and contact details of the person submitting information on behalf of the deployer; 3. The URL of the entry of the AI system in the EU database by its provider; 4. A summary of the findings of the fundamental rights impact assessment conducted in accordance with Article 27; 5. A summary of the data protection impact assessment carried out in accordance with Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680 as specified in Article 26(8) of this Regulation, where applicable. OJ L, 12.7.
Show original text
Regulation (EU) 2016/679 and Article 27 of Directive (EU) 2016/680, as mentioned in Article 26(8) of this Regulation, are applicable. The official journal reference is OJ L, 12.7.2024, and more details can be found at http://data.europa.eu/eli/reg/2024/1689/oj. ANNEX IX outlines the information required for registering high-risk AI systems listed in Annex III, specifically regarding real-world testing as per Article 60. The following details must be submitted and kept updated: 1. A unique identification number for the real-world testing. 2. The name and contact information of the provider and deployers involved in the testing. 3. A brief description of the AI system, its intended use, and other identifying information. 4. A summary of the main features of the real-world testing plan. 5. Information about any suspension or termination of the testing. ANNEX X lists Union legislative acts related to large-scale IT systems in the area of Freedom, Security, and Justice, including the Schengen Information System, governed by Regulation (EU) 2018/1860, which pertains to the use of the Schengen Information System for returning illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1).
Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680 as specified in Article 26(8) of this Regulation, where applicable. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 137/144 ANNEX IX Information to be submitted upon the registration of high-risk AI systems listed in Annex III in relation to testing in real world conditions in accordance with Article 60 The following information shall be provided and thereafter kept up to date with regard to testing in real world conditions to be registered in accordance with Article 60: 1. A Union-wide unique single identification number of the testing in real world conditions; 2. The name and contact details of the provider or prospective provider and of the deployers involved in the testing in real world conditions; 3. A brief description of the AI system, its intended purpose, and other information necessary for the identification of the system; 4. A summary of the main characteristics of the plan for testing in real world conditions; 5. Information on the suspension or termination of the testing in real world conditions. EN OJ L, 12.7.2024 138/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj ANNEX X Union legislative acts on large-scale IT systems in the area of Freedom, Security and Justice 1. Schengen Information System (a) Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1).
Show original text
On 28 November 2018, the Council adopted several regulations regarding the Schengen Information System (SIS): (a) Regulation (EU) 2018/1860 focuses on using the SIS to help return third-country nationals who are staying illegally (published in OJ L 312, 7.12.2018, p. 1). (b) Regulation (EU) 2018/1861 outlines the establishment, operation, and use of the SIS for border checks, while also amending the Schengen Agreement and repealing Regulation (EC) No 1987/2006 (published in OJ L 312, 7.12.2018, p. 14). (c) Regulation (EU) 2018/1862 details the SIS's use in police and judicial cooperation in criminal matters, amending Council Decision 2007/533/JHA and repealing both Regulation (EC) No 1986/2006 and Commission Decision 2010/261/EU (published in OJ L 312, 7.12.2018, p. 56). Additionally, on 7 July 2021, the European Parliament and Council adopted Regulation (EU) 2021/1133, which amends several previous regulations to establish conditions for accessing other EU information systems for the Visa Information System.
of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, p. 1). (b) Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14). (c) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56). 2. Visa Information System (a) Regulation (EU) 2021/1133 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EU) No 603/2013, (EU) 2016/794, (EU) 2018/1862, (EU) 2019/816 and (EU) 2019/818 as regards the establishment of the conditions for accessing other EU information systems for the purposes of the Visa Information System (OJ L
Show original text
On July 13, 2021, the European Parliament and Council adopted Regulation (EU) 2021/1134, which amends several previous regulations related to the Visa Information System. This regulation aims to improve access to EU information systems for visa purposes and repeals certain earlier decisions (2004/512/EC and 2008/633/JHA). Additionally, on May 14, 2024, Regulation (EU) 2024/1358 was established to create 'Eurodac,' a system for comparing biometric data. This regulation helps implement other EU regulations and directives to identify illegally residing third-country nationals and stateless persons. It also allows law enforcement authorities and Europol to request comparisons with Eurodac data for law enforcement purposes, while amending Regulations (EU) 2018/1240 and (EU) 2019/818.
8/1862, (EU) 2019/816 and (EU) 2019/818 as regards the establishment of the conditions for accessing other EU information systems for the purposes of the Visa Information System (OJ L 248, 13.7.2021, p. 1). (b) Regulation (EU) 2021/1134 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EC) No 810/2009, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861, (EU) 2019/817 and (EU) 2019/1896 of the European Parliament and of the Council and repealing Council Decisions 2004/512/EC and 2008/633/JHA, for the purpose of reforming the Visa Information System (OJ L 248, 13.7.2021, p. 11). 3. Eurodac Regulation (EU) 2024/1358 of the European Parliament and of the Council of 14 May 2024 on the establishment of ‘Eurodac’ for the comparison of biometric data in order to effectively apply Regulations (EU) 2024/1315 and (EU) 2024/1350 of the European Parliament and of the Council and Council Directive 2001/55/EC and to identify illegally staying third-country nationals and stateless persons and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, amending Regulations (EU) 2018/1240 and (EU) 2019/818
Show original text
This text discusses various regulations related to law enforcement and border control in the European Union. It mentions the following key points: 1. **Comparison with Eurodac Data**: There are requests from law enforcement authorities in Member States and Europol to compare data with Eurodac for law enforcement purposes. This involves amending Regulations (EU) 2018/1240 and (EU) 2019/818, while repealing Regulation (EU) No 603/2013. This information is published in the Official Journal (OJ L, 2024/1358, 22.5.2024). 2. **Entry/Exit System (EES)**: Regulation (EU) 2017/2226, established on November 30, 2017, creates an Entry/Exit System to track the entry and exit of third-country nationals at the external borders of Member States. It also sets conditions for law enforcement access to this data and amends the Schengen Agreement and other related regulations (OJ L 327, 9.12.2017). 3. **European Travel Information and Authorisation System (ETIAS)**: Regulation (EU) 2018/1240, enacted on September 12, 2018, establishes ETIAS and amends several other regulations related to travel and border control (OJ L 236, 19.9.2018).
less persons and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, amending Regulations (EU) 2018/1240 and (EU) 2019/818 of the European Parliament and of the Council and repealing Regulation (EU) No 603/2013 of the European Parliament and of the Council (OJ L, 2024/1358, 22.5.2024, ELI: http://data.europa. eu/eli/reg/2024/1358/oj). 4. Entry/Exit System Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20). 5. European Travel Information and Authorisation System (a) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1).
Show original text
The following regulations are important for understanding EU policies: 1. Regulations (EU) 2016/399, (EU) 2016/1624, and (EU) 2017/2226 were published in the Official Journal (OJ L 236) on September 19, 2018. 2. Regulation (EU) 2018/1241, adopted by the European Parliament and Council on September 12, 2018, amends Regulation (EU) 2016/794 to create the European Travel Information and Authorisation System (ETIAS), also published in OJ L 236 on September 19, 2018. 3. Regulation (EU) 2019/816, established on April 17, 2019, creates a centralized system (ECRIS-TCN) to identify Member States that hold conviction information on third-country nationals and stateless persons. This regulation amends Regulation (EU) 2018/1726 and was published in OJ L 135 on May 22, 2019. 4. Regulation (EU) 2019/817, adopted on May 20, 2019, sets up a framework for interoperability between EU information systems related to borders and visas. It amends several previous regulations, including (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726, and (EU) 2018/1861.
4, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (OJ L 236, 19.9.2018, p. 1). (b) Regulation (EU) 2018/1241 of the European Parliament and of the Council of 12 September 2018 amending Regulation (EU) 2016/794 for the purpose of establishing a European Travel Information and Authorisation System (ETIAS) (OJ L 236, 19.9.2018, p. 72). OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 139/144 6. European Criminal Records Information System on third-country nationals and stateless persons Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1). 7. Interoperability (a) Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the
Show original text
(EU) Regulations 2016/399, 2017/2226, 2018/1240, 2018/1726, and 2018/1861, along with Council Decisions 2004/512/EC and 2008/633/JHA, are documented in OJ L 135, dated May 22, 2019, page 27. Additionally, Regulation (EU) 2019/818, established on May 20, 2019, creates a framework for interoperability among EU information systems related to police and judicial cooperation, asylum, and migration. This regulation also amends Regulations (EU) 2018/1726, 2018/1862, and 2019/816, as noted in OJ L 135, dated May 22, 2019, page 85. The technical documentation mentioned in Article 53(1), point (a), for providers of general-purpose AI models must include specific information based on the model's size and risk profile.
(EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27). (b) Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85). EN OJ L, 12.7.2024 140/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj ANNEX XI Technical documentation referred to in Article 53(1), point (a) — technical documentation for providers of general-purpose AI models Section 1 Information to be provided by all providers of general-purpose AI models The technical documentation referred to in Article 53(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: 1.
Show original text
All providers of general-purpose AI models must provide technical documentation as outlined in Article 53(1), point (a). This documentation should include the following information, tailored to the model's size and risk profile: 1. A general description of the AI model, which should cover: (a) The tasks the model is designed to perform and the types of AI systems it can be integrated with; (b) The acceptable use policies; (c) The release date and distribution methods; (d) The model's architecture and number of parameters; (e) The input and output formats (e.g., text, image); (f) The licensing information. 2. A detailed description of the model's components and the development process, including: (a) The technical requirements (e.g., usage instructions, infrastructure, tools) needed for integration into AI systems; (b) The design specifications and training process, including methodologies, key design choices, optimization goals, and the significance of various parameters; (c) Information about the data used for training, testing, and validation, including data type, source, curation methods (e.g., cleaning, filtering), number of data points, and measures to identify unsuitable data sources and biases; (d) The computational resources used for training (e.g., floating point operations), training duration, and other relevant training details; (e) The known or estimated energy consumption of the model.
to be provided by all providers of general-purpose AI models The technical documentation referred to in Article 53(1), point (a) shall contain at least the following information as appropriate to the size and risk profile of the model: 1. A general description of the general-purpose AI model including: (a) the tasks that the model is intended to perform and the type and nature of AI systems in which it can be integrated; (b) the acceptable use policies applicable; (c) the date of release and methods of distribution; (d) the architecture and number of parameters; (e) the modality (e.g. text, image) and format of inputs and outputs; (f) the licence. 2. A detailed description of the elements of the model referred to in point 1, and relevant information of the process for the development, including the following elements: (a) the technical means (e.g. instructions of use, infrastructure, tools) required for the general-purpose AI model to be integrated in AI systems; (b) the design specifications of the model and training process, including training methodologies and techniques, the key design choices including the rationale and assumptions made; what the model is designed to optimise for and the relevance of the different parameters, as applicable; (c) information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies (e.g. cleaning, filtering, etc.), the number of data points, their scope and main characteristics; how the data was obtained and selected as well as all other measures to detect the unsuitability of data sources and methods to detect identifiable biases, where applicable; (d) the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; (e) known or estimated energy consumption of the model.
Show original text
The following information must be provided by providers of general-purpose AI models that may pose systemic risks: 1. A clear description of any identifiable biases in the model, if applicable. 2. Details about the computational resources used for training the model, such as the number of floating point operations, training duration, and other relevant training information. 3. Information on the known or estimated energy consumption of the model. If the energy consumption is not known, it can be estimated based on the computational resources used. Additionally, providers must include: 1. A detailed explanation of the evaluation strategies used, including results based on public evaluation protocols or other methods. This should cover evaluation criteria, metrics, and how limitations were identified. 2. A description of any measures taken for internal or external adversarial testing (like red teaming) and any model adjustments, including alignment and fine-tuning. 3. An explanation of the system architecture, detailing how software components interact and integrate into the overall processing. This information is outlined in Article 53(1), point (b) of the regulation, and is essential for downstream providers who integrate the model into their AI systems.
identifiable biases, where applicable; (d) the computational resources used to train the model (e.g. number of floating point operations), training time, and other relevant details related to the training; (e) known or estimated energy consumption of the model. With regard to point (e), where the energy consumption of the model is unknown, the energy consumption may be based on information about computational resources used. Section 2 Additional information to be provided by providers of general-purpose AI models with systemic risk 1. A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies. Evaluation strategies shall include evaluation criteria, metrics and the methodology on the identification of limitations. 2. Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing (e.g. red teaming), model adaptations, including alignment and fine-tuning. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 141/144 3. Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. EN OJ L, 12.7.2024 142/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj ANNEX XII Transparency information referred to in Article 53(1), point (b) — technical documentation for providers of general-purpose AI models to downstream providers that integrate the model into their AI system The information referred to in Article 53(1), point (b) shall contain at least the following: 1.
Show original text
b) Technical documentation for providers of general-purpose AI models to those who integrate these models into their AI systems. According to Article 53(1), point (b), this documentation must include at least the following information: 1. A general description of the AI model, which should cover: (a) the tasks the model is designed to perform and the types of AI systems it can be integrated into; (b) the acceptable use policies; (c) the release date and distribution methods; (d) how the model interacts with external hardware or software, if applicable; (e) the versions of relevant software related to the model's use, if applicable; (f) the model's architecture and number of parameters; (g) the type (e.g., text, image) and format of inputs and outputs; (h) the model's license. 2. A description of the model's components and its development process, which should include: (a) the technical requirements (e.g., usage instructions, infrastructure, tools) needed for integrating the model into AI systems; (b) the type and format of inputs and outputs, including their maximum size (e.g., context window length); (c) details about the data used for training, testing, and validation, including the type, source, and curation methods of the data.
b) — technical documentation for providers of general-purpose AI models to downstream providers that integrate the model into their AI system The information referred to in Article 53(1), point (b) shall contain at least the following: 1. A general description of the general-purpose AI model including: (a) the tasks that the model is intended to perform and the type and nature of AI systems into which it can be integrated; (b) the acceptable use policies applicable; (c) the date of release and methods of distribution; (d) how the model interacts, or can be used to interact, with hardware or software that is not part of the model itself, where applicable; (e) the versions of relevant software related to the use of the general-purpose AI model, where applicable; (f) the architecture and number of parameters; (g) the modality (e.g. text, image) and format of inputs and outputs; (h) the licence for the model. 2. A description of the elements of the model and of the process for its development, including: (a) the technical means (e.g. instructions for use, infrastructure, tools) required for the general-purpose AI model to be integrated into AI systems; (b) the modality (e.g. text, image, etc.) and format of the inputs and outputs and their maximum size (e.g. context window length, etc.); (c) information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies. OJ L, 12.7.
Show original text
This document outlines the criteria for identifying general-purpose AI models that may pose systemic risks, as mentioned in Article 51. The European Commission will consider the following factors to determine if an AI model meets the criteria: (a) the number of parameters in the model; (b) the quality or size of the training data set, which can be measured in tokens; (c) the computational resources used for training, assessed through floating point operations or other indicators like training cost, time, or energy consumption; (d) the types of inputs and outputs the model can handle, such as text-to-text or text-to-image, and the standards for high-impact capabilities; (e) the model's performance on benchmarks, including its ability to perform tasks without extra training, learn new tasks, and its autonomy and scalability; (f) its potential impact on the internal market, which is assumed if it has at least 10,000 registered business users in the EU; and (g) the total number of registered end-users.
.g. context window length, etc.); (c) information on the data used for training, testing and validation, where applicable, including the type and provenance of data and curation methodologies. OJ L, 12.7.2024 EN ELI: http://data.europa.eu/eli/reg/2024/1689/oj 143/144 ANNEX XIII Criteria for the designation of general-purpose AI models with systemic risk referred to in Article 51 For the purpose of determining that a general-purpose AI model has capabilities or an impact equivalent to those set out in Article 51(1), point (a), the Commission shall take into account the following criteria: (a) the number of parameters of the model; (b) the quality or size of the data set, for example measured through tokens; (c) the amount of computation used for training the model, measured in floating point operations or indicated by a combination of other variables such as estimated cost of training, estimated time required for the training, or estimated energy consumption for the training; (d) the input and output modalities of the model, such as text to text (large language models), text to image, multi-modality, and the state of the art thresholds for determining high-impact capabilities for each modality, and the specific type of inputs and outputs (e.g. biological sequences); (e) the benchmarks and evaluations of capabilities of the model, including considering the number of tasks without additional training, adaptability to learn new, distinct tasks, its level of autonomy and scalability, the tools it has access to; (f) whether it has a high impact on the internal market due to its reach, which shall be presumed when it has been made available to at least 10 000 registered business users established in the Union; (g) the number of registered end-users. EN OJ L, 12.7.
Show original text
The reach of a service will be considered sufficient if it is accessible to at least 10,000 registered business users located in the European Union. Additionally, the total number of registered end-users will also be taken into account.
to its reach, which shall be presumed when it has been made available to at least 10 000 registered business users established in the Union; (g) the number of registered end-users. EN OJ L, 12.7.2024 144/144 ELI: http://data.europa.eu/eli/reg/2024/1689/oj

Entities

10 000 registered business users

A threshold indicating the number of users required for the regulation's reach to be presumed.

10 years

The duration for which importers must keep documentation related to high-risk AI systems.

13 June 2024

June 13, 2024, is the date on which Regulation (EU) 2024/1689 was adopted.

15 calendar days

The time frame within which objections must be raised by Member States or the Commission regarding an authorization.

15 days

The maximum time frame within which providers must report serious incidents after becoming aware of them.

17 April 2019

The date when Directive (EU) 2019/790 was adopted.

18 June 2021

The date on which the joint opinion of the European Data Protection Supervisor and Board was delivered.

2 August 2025

The deadline for the governance and conformity assessment system to be operational and for obligations regarding general-purpose AI models to apply.

2 August 2026

The date from which the Regulation will fully apply and Member States must ensure operational AI regulatory sandboxes.

2 August 2027

The date by which AI systems must be placed on the market to be subject to compliance requirements, and from which certain obligations in the regulation apply.

2 August 2028

The deadline for the Commission to evaluate and report on amendments to the list of high-risk areas and the functioning of the AI Office.

2 August 2029

The deadline for the Commission to evaluate and review the Regulation.

2 August 2030

The compliance deadline for operators of certain AI systems to meet the requirements of the Regulation.

2 August 2031

The deadline by which the Commission must assess the enforcement of the Regulation.

2 February 2025

The date from which prohibitions and general provisions of the Regulation will apply due to unacceptable risks.

2 February 2026

This date marks the deadline for the Commission to adopt an implementing act for the post-market monitoring plan.

2 May 2025

The deadline by which codes of practice should be ready to enable compliance demonstration.

2009/48/EC

Directive of the European Parliament and of the Council on the safety of toys, established on 18 June 2009.

2017/746

This Regulation establishes a governance framework for coordinating and supporting the application of AI regulations at both national and Union levels.

2019 Ethics Guidelines for Trustworthy AI

Guidelines developed by the AI HLEG outlining seven non-binding ethical principles for ensuring AI is trustworthy and ethically sound.

2024/1689

A regulation proposed to lay down uniform obligations for operators regarding the use of AI systems within the internal market.

31 December 2030

The deadline for AI systems placed on the market before 2 August 2027 to comply with the new regulation.

7 %

The percentage of total worldwide annual turnover that can be imposed as a fine for undertakings in case of non-compliance.

acceptable use policies

Policies that define the acceptable ways in which the general-purpose AI model can be used.

accountability framework

A framework that outlines the responsibilities of management and staff regarding various aspects of high-risk AI systems.

Accreditation Certificate

A document issued by a national accreditation body certifying that a conformity assessment body complies with established requirements.

accuracy

Accuracy is a measure of how closely a computed or measured value aligns with the true value, particularly relevant in the context of AI systems.

administrative fine

An administrative fine is a financial penalty imposed on operators for infringements of the regulation, which can be up to EUR 1,500,000.

advisory forum

The advisory forum is a consultative body that provides technical expertise and advice to the European Commission on AI regulation and standardisation requests.

affected persons

Individuals who are impacted by decisions made with the assistance of AI systems.

AI

A fast-evolving family of technologies that contributes to various economic, environmental, and societal benefits.

AI ecosystem

The network of actors involved in the development and deployment of AI technologies, which may include various stakeholders cooperating within the regulatory framework.

AI HLEG

The High-Level Expert Group on Artificial Intelligence provides guidelines and ethical frameworks for the development of trustworthy AI.

AI literacy

The knowledge and skills necessary to understand and effectively engage with AI systems, including their development and application.

AI literacy

The knowledge necessary for relevant actors in the AI value chain to understand the implications of AI decisions and ensure compliance.

AI literacy

The level of understanding and competence in using AI systems required for those involved in their development and operation.

AI literacy

Skills and knowledge that enable individuals to understand and engage with AI systems effectively.

AI literacy

Skills, knowledge, and understanding that enable providers, deployers, and affected persons to make informed decisions regarding the deployment of AI systems.

AI model

A specific implementation of an AI system that can generate content, including general-purpose models.

AI models

AI models are specific implementations of artificial intelligence systems that can be marketed or used within the Union, often involving the processing of personal data.

AI models

Specific types of AI systems developed for scientific research and development.

AI Office

An authority responsible for overseeing compliance, monitoring AI models, and facilitating the development of codes of practice related to AI systems.

AI practices

Practices involving artificial intelligence that may be subject to regulation under Union law.

AI Regulation

A set of binding rules for AI systems aimed at ensuring ethical and professional standards in research and development activities.

AI regulatory sandbox

A controlled environment established by national competent authorities to facilitate the development, testing, and validation of innovative AI systems under regulatory oversight, ensuring compliance with regulations.

AI regulatory sandbox

A controlled environment established by a competent authority for the development and testing of AI systems under regulatory supervision.

AI regulatory sandbox

A framework established to allow for the testing of AI technologies in a controlled environment.

AI regulatory sandboxes

Controlled environments established by Member States for SMEs to test AI systems under regulatory oversight, ensuring compliance with legal standards.

AI regulatory sandboxes

Regulatory frameworks that allow AI providers to test technologies in controlled environments, ensuring compliance and fostering innovation.

AI system

An AI system that performs tasks requiring human intelligence, capable of learning and reasoning, and may be subject to regulations based on its risk classification and intended use.

AI systems

AI systems are technological frameworks designed to perform tasks requiring human-like intelligence, subject to regulations ensuring their safety, compliance, and ethical use across various sectors, including high-risk applications.

AI systems for credit evaluation

AI systems used to evaluate the credit score or creditworthiness of natural persons, classified as high-risk due to their impact on access to financial resources.

AI systems for creditworthiness evaluation

AI systems intended to evaluate the creditworthiness of natural persons or establish their credit score.

AI systems for detecting financial fraud

AI systems designed specifically to identify and prevent financial fraud.

AI systems for education assessment

AI systems intended to assess the appropriate level of education that an individual will receive or access within educational and vocational training institutions.

AI systems for emergency call evaluation

AI systems used to assess and classify emergency calls and prioritize dispatching emergency services.

AI systems for health and life insurance

AI systems intended for risk assessment and pricing in health and life insurance, which can significantly impact individuals' livelihoods.

AI systems for monitoring prohibited behaviour

AI systems used for monitoring and detecting prohibited behaviour of students during tests in educational and vocational training institutions.

AI systems for public services evaluation

AI systems used by public authorities to evaluate the eligibility of natural persons for essential public assistance benefits and services.

AI systems for recruitment

AI systems intended for the recruitment or selection of natural persons, including placing job advertisements and evaluating candidates.

AI systems for remote biometric identification

AI systems designed for the remote identification of individuals based on biometric data, which can lead to biased results and discriminatory effects.

AI systems for risk assessment and pricing

AI systems intended for evaluating risks and determining pricing in life and health insurance for natural persons.

AI systems for risk assessment in insurance

AI systems used for risk assessment and pricing in relation to natural persons in life and health insurance.

AI systems for social scoring

AI systems that evaluate or classify natural persons or groups based on multiple data points related to their social behavior and personal characteristics.

AI value chain

The series of processes and parties involved in the development and deployment of AI systems.

AI-enabled manipulative techniques

Techniques that use AI to persuade individuals into unwanted behaviors or decisions, impairing their autonomy and decision-making.

AI-on-demand platform

A platform aimed at promoting and facilitating the use of artificial intelligence technologies across various sectors.

AI-on-demand platform

A platform designed to provide AI-related services and support, contributing to the implementation of regulations.

alternative dispute resolution bodies

Institutions that facilitate the resolution of disputes outside of the court system.

Annex I

A section of the regulation listing Union harmonisation legislation relevant to AI systems and covering specific certification requirements.

Annex I

Annex I lists the Union harmonisation legislation applicable to high-risk AI systems and relevant for market surveillance.

Annex II

A section of the regulation that outlines specific offences punishable by custodial sentences or detention orders.

Annex III

Annex III specifies categories and compliance requirements for high-risk AI systems, including those subject to specific reporting obligations and regulatory oversight.

Annex III

Annex III outlines the specific conditions under which AI systems are classified as high-risk and their associated requirements.

Annex III

This annex provides details on high-risk AI systems, including use-cases, compliance requirements, and classifications.

Annex III

This directive specifies the types of high-risk AI systems and outlines the registration requirements for their deployment.

Annex III

A section of the regulation that lists specific high-risk AI systems in areas such as law enforcement and migration.

Annex IV

Annex IV outlines the minimum elements required in the technical documentation for high-risk AI systems.

Annex IV

This annex specifies the technical documentation requirements for high-risk AI systems, including simplified provisions for SMEs.

Annex IX

A directive that includes additional points relevant to the registration of high-risk AI systems.

Annex IX

An annex specifying the information required for the registration of high-risk AI systems.

Annex V

Annex V outlines the information that must be included in the EU declaration of conformity.

Annex V

Annex V contains information related to the EU declaration of conformity for high-risk AI systems.

Annex VI

An annex describing internal control procedures for conformity assessment.

Annex VI

Annex that discusses internal control measures for conformity assessment procedures.

Annex VII

An annex outlining conformity assessment procedures specifically for high-risk AI systems.

Annex VII

Annex that outlines the conformity assessment procedure for AI systems.

Annex VII

A section of regulatory documentation that specifies requirements for technical documentation assessment and quality management system approvals.

Annex VIII

A directive that specifies the information required for the registration of high-risk AI systems.

Annex VIII

An annex that lists data to be entered into the EU database concerning high-risk AI systems.

Annex VIII

A section of the regulation that lists the data to be entered into the EU database.

Annex XI

A section of the regulation that outlines minimum information requirements for technical documentation of AI models.

Annex XI

An annex detailing compliance obligations and technical requirements for AI model providers.

Annex XII

A section of the regulation that specifies elements to be included in the documentation for AI systems.

Annex XII

An annex that may be amended to reflect evolving technological developments.

Annex XIII

A document that contains criteria for evaluating the capabilities and impact of AI models.

Annex XIII

A section of the regulation that outlines the criteria for designating general-purpose AI models as presenting systemic risks.

Annexes VI and VII

Annexes that are subject to amendment by the Commission in light of technical progress.

annual reports

Reports submitted by Member States to the Commission regarding the use of biometric identification systems.

Article 10

An article within Directive (EU) 2016/680 that outlines specific rules regarding the processing of biometric data.

Article 10 of Directive (EU) 2016/680

An article that allows the processing of biometric data only where strictly necessary and subject to appropriate safeguards.

Article 10(4)

An article within a regulation that outlines specific requirements for AI systems.

Article 100

A specific article within the regulation that addresses administrative fines imposed on Union institutions, bodies, offices, and agencies.

Article 101

Article 101 outlines fines for providing incorrect, incomplete, or misleading information in the context of AI model evaluations and for failure to provide access as requested.

Article 102

An article within the regulation that discusses amendments and provisions related to the regulation.

Article 103

An article within the regulation that includes amendments related to artificial intelligence systems.

Article 104

An article that amends Regulation (EU) No 168/2013 by adding a subparagraph regarding delegated acts for AI systems.

Article 11

This article specifies the technical documentation requirements for compliance concerning high-risk AI systems.

Article 11(1)

A specific article within the regulation that outlines requirements for technical documentation.

Article 112

An article within the regulation that outlines the evaluation and review process by the Commission.

Article 114 TFEU

An article of the Treaty on the Functioning of the European Union that allows for the establishment of measures to ensure the functioning of the internal market.

Article 12

Article 12 outlines record-keeping requirements for high-risk AI systems, including mechanisms for logging.

Article 12(1)

This article outlines the requirements for accessing logs generated by high-risk AI systems.

Article 13

A provision within Directive (EU) 2016/680 that outlines obligations regarding personal data use in law enforcement and risk management for high-risk AI systems.

Article 13 of Directive (EU) 2016/680

An article that outlines obligations regarding the right to an explanation for individuals affected by high-risk AI systems.

Article 13(3), point (d)

A specific point within an article that discusses the technical measures needed for interpreting AI system outputs.

Article 14

This article outlines the requirements for human oversight of high-risk AI systems and the powers of market surveillance authorities within the regulatory framework.

Article 15

Article 15 specifies the metrics, robustness, and cybersecurity standards for testing and validating high-risk AI systems.

Article 16

This article specifies the obligations of providers and importers of high-risk AI systems within the regulatory framework.

Article 16 TFEU

Article 16 of the Treaty on the Functioning of the European Union establishes rules for the protection of personal data within the EU.

Article 16(1)

An article within Regulation (EU) 2022/2065 that addresses the processing of notices on illegal content.

Article 16(6)

An article within Regulation (EU) 2022/2065 that pertains to the obligations of hosting service providers.

Article 17

This article outlines the requirements for a quality management system related to high-risk AI systems and their conformity assessment.

Article 18

This article details the documentation requirements that providers of high-risk AI systems must maintain.

Article 18 of Regulation (EU) 2019/1020

An article that applies to measures taken by the market surveillance authority regarding compliance.

Article 19

This article discusses the maintenance of logs generated by high-risk AI systems and provides procedures for notifying serious incidents.

Article 2, point (1)(c)

An article within Regulation (EU) No 1025/2012 that defines harmonised standards relevant for compliance with the regulation.

Article 20

This article mandates corrective actions and information provision required for compliance by providers of high-risk AI systems.

Article 21

An article that details the cooperation requirements between providers of high-risk AI systems and competent authorities.

Article 21(6)

An article within Regulation (EU) 2019/1020 that outlines specific tasks for Union AI testing support structures.

Article 22

An article that refers to the committee that the Commission must inform before preparing a draft implementing act.

Article 22(1)

An article mandating the appointment of an authorized representative by the provider of high-risk AI systems, outlining specific regulatory requirements.

Article 24

An article outlining the obligations of distributors regarding high-risk AI systems before they are made available on the market.

Article 25

An article within Regulation 2024/1689 that details the responsibilities along the AI value chain for high-risk AI systems.

Article 26

An article outlining the obligations of deployers of high-risk AI systems.

Article 26(5)

An article that discusses the monitoring of high-risk AI systems.

Article 27

An article mandating a fundamental rights impact assessment for high-risk AI systems.

Article 27 of Directive (EU) 2016/680

An article that specifies additional requirements for data protection assessments in certain contexts.

Article 28

An article that outlines the responsibilities of notifying authorities in Member States regarding conformity assessment bodies.

Article 29(2)

Article 29(2) refers to the accreditation certificate required for notified bodies to perform their activities.

Article 29(3)

Article 29(3) refers to the documentary evidence required for notified bodies to perform their activities.

Article 290 TFEU

An article of the Treaty on the Functioning of the European Union that allows the delegation of powers to the Commission for adopting acts.

Article 3

Article 3 outlines specific points related to serious incidents involving AI systems that must be reported to the national competent authority.

Article 3, point (4)

An article within Directive (EU) 2016/680 that defines the scope of personal data processing by competent authorities.

Article 3, point (5)

An article within Regulation (EU) 2018/1725 that outlines specific provisions related to personal data processing.

Article 30

An article detailing the notification procedure for conformity assessment bodies and pertaining to the administrative cooperation group for market surveillance.

Article 30 of Regulation (EU) 2019/1020

An article that outlines the role of the administrative cooperation group (ADCO) for market surveillance under the specified regulation.

Article 31

An article outlining the requirements for conformity assessment bodies, including their establishment, legal personality, and necessary organizational standards.

Article 32

Article 32 discusses the presumption of conformity with requirements relating to notified bodies, stating that if a conformity assessment body meets certain harmonised standards, it is presumed to comply with the requirements set out in Article 31.

Article 33

Article 33 outlines the responsibilities of notified bodies when subcontracting tasks related to conformity assessment, emphasizing the need for compliance with Article 31 and the accountability of notified bodies for their subcontractors.

Article 33 of Regulation (EU) 2019/1020

An article that mandates the Commission to support market surveillance activities.

Article 34

An article detailing the operational obligations of notified bodies regarding the verification of high-risk AI systems in conformity assessments.

Article 34(4)

An article in Regulation (EU) 2019/1020 that outlines the reporting obligations of market surveillance authorities.

Article 35

Article 35 details the assignment of identification numbers to notified bodies and the public availability of their lists.

Article 35 of Regulation (EU) 2016/679

An article that outlines the requirements for data protection impact assessments.

Article 36

Article 36 addresses the notification of changes regarding notified bodies to the Commission and Member States.

Article 37

An article in the regulation that addresses challenges to the competence of notified bodies.

Article 39

An article within the regulation that discusses the authorization of conformity assessment bodies from third countries.

Article 39 of the Charter

An article enshrining the right to vote, which is protected under Union law.

Article 4

An article in the regulation that addresses AI literacy requirements for providers and deployers of AI systems.

Article 4 (1) of Directive (EU) 2016/680

An article that lays down principles for the processing of personal data, including lawfulness, fairness, and transparency.

Article 4(2) TEU

An article of the Treaty on European Union that outlines the responsibilities of Member States regarding national security.

Article 4, point (4)

An article within Regulation (EU) 2016/679 that defines profiling in the context of personal data processing.

Article 40

An article addressing harmonised standards and standardisation deliverables within the regulation.

Article 41

An article discussing the adoption of implementing acts for common specifications and harmonised standards conferring a presumption of conformity.

Article 43

This article outlines the conformity assessment procedures for high-risk AI systems prior to their market placement, including fees for SMEs.

Article 43(4)

A specific article that outlines the conditions under which changes to the AI systems require a new conformity assessment.

Article 45

A specific article that outlines the information obligations of notified bodies regarding conformity assessment.

Article 47

This article details the requirements for drawing up an EU declaration of conformity for high-risk AI systems.

Article 48

Specifies the requirements for affixing the CE marking to high-risk AI systems.

Article 49

An article detailing registration requirements for high-risk AI systems in the EU database before market placement.

Article 49(1)

This article outlines the registration obligations for providers of high-risk AI systems.

Article 49(2)

Article 49(2) details the registration obligations for providers of AI systems that are not classified as high-risk.

Article 49(3)

An article that mandates the submission of information by deployers of high-risk AI systems.

Article 49(4)

A provision that specifies the requirements for registering testing in real-world conditions for high-risk AI systems.

Article 49(5)

A provision that outlines additional requirements for providers of high-risk AI systems regarding testing in real-world conditions.

Article 5

An article that specifies prohibited AI practices and associated penalties for non-compliance within the regulatory framework.

Article 5 TEU

An article in the Treaty on European Union outlining the principles of subsidiarity and proportionality.

Article 50

An article outlining provisions for the deployment of high-risk AI systems, including transparency obligations and compliance requirements.

Article 51

An article that defines classification rules and conditions for general-purpose AI models to avoid being classified as presenting systemic risks.

Article 52

An article outlining the procedure for notifying the Commission regarding the classification and regulation of general-purpose AI models.

Article 53

An article outlining obligations for providers of AI models, particularly regarding information updates in light of market developments.

Article 53(1)

An article outlining the requirements for technical documentation related to AI models, particularly general-purpose models.

Article 53(1), point (b)

A specific article in the regulation that outlines requirements for technical documentation.

Article 54

An article that complements the obligations outlined in Article 53 with additional compliance requirements.

Article 54(3)

An article within Regulation (EU) 2019/881 that pertains to the compliance of high-risk AI systems with cybersecurity requirements.

Article 55

An article specifying additional obligations for providers of general-purpose AI models with systemic risk, including those covered by codes of practice.

Article 56

An article that refers to codes of practice for compliance with obligations related to AI systems.

Article 56 (6)

An article that details the procedure for the Commission to adopt implementing acts related to codes of practice.

Article 57

An article in the regulation detailing specific conditions for conducting real-world testing of AI systems.

Article 58

An article detailing the establishment and functioning of AI regulatory sandboxes within the European Union.

Article 59

A specific provision within the regulation that addresses the further processing of personal data for developing AI systems in the public interest.

Article 6

An article within the regulation that outlines the classification rules for high-risk AI systems.

Article 6(3)

An article that outlines the criteria and procedures for classifying AI systems as high-risk or not-high-risk.

Article 60

An article outlining additional conditions and procedures for testing high-risk AI systems, including those outside regulatory sandboxes.

Article 61

An article outlining the requirements for obtaining informed consent from subjects involved in testing AI systems.

Article 62

An article discussing measures for providers and deployers of AI systems, particularly focusing on SMEs and start-ups.

Article 62(1), point (c)

A specific provision that outlines the requirements for interaction with AI regulatory sandboxes.

Article 63

An article in the regulation that discusses derogations for specific operators, particularly microenterprises.

Article 64

An article that outlines the governance structure at the Union level, specifically regarding the AI Office.

Article 65

An article outlining the establishment and structure of the European Artificial Intelligence Board.

Article 66

An article detailing the tasks of the European Artificial Intelligence Board in relation to the regulation.

Article 67

An article within a regulation that refers to the advisory forum for consultation during the drafting of common specifications.

Article 68

Article 68 establishes the criteria for appointing independent experts to conduct evaluations of AI models and discusses the establishment of a scientific panel.

Article 68(1)

An article within the Regulation that refers to the implementing act concerning the structure and level of fees for expert advice.

Article 69

An article that outlines the access of Member States to the pool of experts by the scientific panel.

Article 7

An article within the regulation that empowers the Commission to adopt delegated acts to amend Annex III.

Article 70

An article that outlines the designation of national competent authorities and single points of contact.

Article 71

An article referring to the EU database for the registration of high-risk AI systems, containing compliance-related information.

Article 71(4)

A legal provision that requires registration of testing in real-world conditions with a unique identification number.

Article 72

Article 72 outlines the post-market monitoring system and risk management measures for high-risk AI systems, including obligations for deployers.

Article 73

This article outlines the procedures for reporting serious incidents related to high-risk AI systems.

Article 74

A provision in the regulatory framework that outlines the role of market surveillance authorities and information exchange.

Article 74(10)

An article that specifies the obligations of the competent authorities and national authorities regarding the high-risk AI system.

Article 74(11)

An article that refers to cross-border market surveillance activities.

Article 76

An article that outlines the supervision of testing in real-world conditions by market surveillance authorities.

Article 77

This article outlines the powers of national public authorities or bodies in supervising and enforcing obligations under Union law related to fundamental rights, particularly concerning high-risk AI systems.

Article 77(1)

Article 77(1) outlines cooperation requirements for operators and authorities, emphasizing consultation with relevant national public authorities regarding AI systems.

Article 78

This article sets out confidentiality obligations for information obtained by competent authorities and during conformity assessment activities.

Article 79

An article defining the risks associated with high-risk AI systems, outlining distributor responsibilities and the procedures for corrective actions and compliance evaluations.

Article 79(1)

Article 79(1) defines conditions under which a high-risk AI system may present a risk or be considered non-compliant.

Article 8

An article that outlines the compliance requirements for high-risk AI systems.

Article 80

An article that outlines the procedure for dealing with AI systems classified as non-high-risk.

Article 83

Article 83 addresses formal non-compliance regarding the affixing of CE markings and related documentation.

Article 84

Article 84 designates Union AI testing support structures for tasks related to AI, focusing on enhancing testing capabilities.

Article 85

An article that grants the right to lodge a complaint with a market surveillance authority regarding infringements of the regulation.

Article 86

An article that provides the right to explanation of individual decision-making based on outputs from high-risk AI systems.

Article 87

An article that outlines the reporting of infringements and the protection of reporting persons under Directive (EU) 2019/1937.

Article 88

An article that discusses the enforcement of obligations for providers of general-purpose AI models.

Article 89

An article that details the monitoring actions that the AI Office can take regarding compliance with the regulation.

Article 9

An article addressing the requirements for a risk management system for high-risk AI systems, including the processing of biometric data.

Article 9(2)

Article 9(2) refers to fundamental rights that may be at risk when using high-risk AI systems.

Article 90

Article 90 provides a framework for addressing systemic risks associated with general-purpose AI models, allowing the scientific panel to alert the AI Office about potential risks.

Article 91

Article 91 pertains to requests for documents or information that must be complied with by providers of AI models.

Article 92

Article 92 grants the AI Office the power to conduct evaluations of general-purpose AI models to assess compliance and investigate systemic risks.

Article 93

Article 93 includes measures that must be complied with by providers of AI models.

Article 94

Article 94 addresses procedural guarantees relevant to the supervision and enforcement of AI regulations, focusing on the rights of economic operators.

Article 96

Article 96 provides guidelines for the practical implementation of regulations concerning AI systems.

Article 97

Article 97 empowers the Commission to adopt delegated acts to amend existing regulations and lists regarding high-risk AI systems.

Article 97(2)

An article that empowers the Commission to amend specific annexes in light of technological developments.

Article 98

Article 98 details the examination procedure for adopting implementing acts and outlines the committee procedure and the role of the Commission.

Article 98(2)

An article outlining the examination procedure for adopting implementing acts related to AI models and regulatory sandboxes.

Article 99

Article 99 specifies penalties, including fines, for non-compliance with AI system regulations.

Articles 29 and 30

Articles that lay down procedures applicable to extensions of the scope of notifications for notified bodies.

Articles 40 and 41

Articles 40 and 41 refer to harmonised standards or common specifications that confer a presumption of conformity for AI systems.

Articles 53 and 55

Specific articles within a regulation that outline obligations related to the codes of practice.

Articles 79 to 83

Specific articles within a regulation that detail procedures related to market surveillance.

Articles 91 to 94

Specific articles that outline the powers and procedures related to the assessment of AI models.

Artificial Intelligence Act

The Artificial Intelligence Act, also known as Regulation (EU) 2024/1689, establishes rules and requirements for artificial intelligence systems within the EU.

Artificial Intelligence Act

Regulation (EU) 2024/1689 establishes harmonised rules on artificial intelligence and amends several previous regulations and directives.

Artificial Intelligence Act

The colloquial name for Regulation (EU) 2024/1689, focusing on the regulation of AI systems.

Artificial Intelligence systems

Systems that utilize AI technology, specifically those classified as safety components in the context of the regulation.

artists, authors, and other creators

Individuals who create content and may be affected by the use of AI in the creation and distribution of their works.

asylum

An area of application for high-risk AI systems related to the processing of asylum claims.

asylum authorities

Agencies that process applications for asylum and provide protection to individuals fleeing persecution.

audit report

A report provided by the notified body after conducting audits to ensure compliance with the quality management system.

Authorised representative

A person or entity established in the Union that acts on behalf of providers from third countries to ensure compliance of AI systems.

authorised representative

A representative appointed by a provider to fulfill regulatory obligations on their behalf within the Union.

automation bias

The tendency of users to rely excessively on the output of high-risk AI systems, potentially leading to errors in decision-making.

basic supplies

Essential goods and services necessary for the population's survival and well-being.

benchmarks

Benchmarks are standards used to evaluate the performance and capabilities of high-risk AI systems and general-purpose AI models.

biometric categorisation

The classification of individuals based on their biometric data, used in various applications including law enforcement.

biometric categorisation

The process of assigning natural persons to specific categories based on their biometric data, such as sex, age, and other traits.

biometric categorisation system

An AI system that categorizes individuals based on their biometric data.

biometric categorisation systems

AI systems designed to categorize individuals based on biometric data, often used in law enforcement and regulated under data protection laws.

biometric data

Biometric data is a special category of personal data derived from physical, physiological, or behavioral characteristics of individuals, used for identification purposes.

biometric identification systems

AI systems that use biometric data for identification purposes, which may have significant consequences if they produce incorrect matches.

Biometrics

AI systems related to biometric identification and categorization, including remote identification and emotion recognition.

Board

A governing body that advises the Commission and Member States on AI system regulations, coordinates activities among national authorities, and ensures effective implementation of codes of practice.

border control authorities

Agencies that manage the entry and exit of individuals at national borders, ensuring compliance with immigration laws.

border control management

An area where high-risk AI systems are applied to manage border control processes.

CE marking

CE marking certifies that a product complies with EU safety, health, and environmental protection standards for sale within the European Economic Area.

CE marking

A certification mark indicating that an AI system complies with EU safety, health, and environmental standards as per applicable legislation.

CEN

The European Committee for Standardization, a permanent member of the advisory forum contributing to the Regulation's implementation.

CENELEC

The European Committee for Electrotechnical Standardization, involved in standardization efforts related to the Regulation and a permanent member of the advisory forum.

certificates

Documents issued by notified bodies to confirm compliance with regulatory standards.

certificates

Documents issued by notified bodies that validate compliance with AI system regulations and can be suspended or withdrawn under specific circumstances.

Chapter 2 of Title V TEU

A section of the Treaty on European Union that addresses the common Union defense policy.

Chapter III, Section 2

This section outlines specific requirements for high-risk AI systems within Regulation (EU) 2024/1689.

Chapter III, Section 2

A section within Regulation (EU) 2024/1689 that outlines requirements for AI systems.

Chapter III, Section 2

A section within Regulation (EU) 2024/1689 that outlines specific requirements and oversight measures for AI systems.

Chapter III, Section 2

A specific section of regulatory text that outlines requirements for AI systems, including compliance, validation, and testing procedures.

Chapter V

A chapter within the regulation that includes obligations related to conformity assessment.

Chapter VI of Regulation (EU) 2019/1020

A chapter that provides procedures applicable to market surveillance authorities.

Charter

The Charter of Fundamental Rights of the European Union enshrines the fundamental rights and freedoms of EU citizens.

Charter

The charter is a document that enshrines fundamental rights and freedoms, including non-discrimination, data protection, and privacy, particularly in the context of AI systems.

Charter of Fundamental Rights of the European Union

A document that enshrines fundamental rights such as democracy, the rule of law, and environmental protection within the European Union.

Charter of Fundamental Rights of the European Union

A document that enshrines fundamental rights and freedoms in the EU, including health and safety.

civil society organisations

Non-governmental organizations that represent various interests and advocate for the rights of individuals and communities.

civilian purposes

Non-military uses of AI systems, such as humanitarian efforts or law enforcement.

civilian purposes

Uses of AI systems that fall within the scope of the Regulation, as opposed to military or defense uses.

closed circuit television cameras

Devices used to capture video footage for surveillance and identification purposes.

codes of conduct

Codes of conduct are frameworks and guidelines developed under regulation to ensure ethical practices in the design and use of AI models.

codes of practice

Guidelines outlining the obligations for providers of general-purpose AI models to ensure compliance with regulations and manage systemic risks.

codes of practice

Codes of practice serve as guidelines for AI model providers to ensure responsible use and compliance with obligations related to systemic risks.

Commission

The European Commission is the executive body of the EU responsible for proposing legislation, ensuring compliance with EU laws, and overseeing the regulation of AI systems.

Commission Decision of 24 January 2024

The decision that outlines the establishment of the AI Office.

Commission Decision of 24.1.2024

A decision establishing the European Artificial Intelligence Office.

Commission Recommendation 2003/361/EC

A regulation that defines the criteria for small and medium-sized enterprises (SMEs) within the European Union.

Commission Work Programme 2021

A document that refers to the involvement of employees and service providers in work-related contractual relationships.

common rules for AI regulatory sandboxes

Set of guidelines established to ensure uniform implementation of AI regulatory sandboxes across the Union.

common specification

A set of technical specifications defined in Article 2, point (4) of Regulation (EU) No 1025/2012 for compliance with certain requirements.

common specifications

Common specifications provide fallback guidelines for compliance when harmonised standards are unavailable or inadequate.

common specifications

Regulatory requirements that AI systems must meet to ensure safety and compliance.

competent authorities

Regulatory bodies responsible for overseeing compliance and safety of AI systems during their development and implementation.

competent authority

A competent authority oversees compliance and enforcement of regulations related to high-risk AI systems.

competent public authorities

Authorities designated by law to manage migration, asylum, and border control, utilizing AI systems in their operations.

Computation

The amount of computational resources used for training AI models, often measured in floating point operations.

computational resources

The resources required to train the AI model, including the number of floating point operations and training time.

computational resources

Resources such as processing power and memory used to train the AI model.

confidential business information

Sensitive information that must be protected according to Union and national law.

conformity assessment

Conformity assessment is the procedure to evaluate whether high-risk AI systems meet regulatory requirements before market placement.

Conformity Assessment Bodies

Organizations that assess and ensure that products, services, or systems meet specified standards and regulations.

conformity assessment body

An organization that assesses the conformity of products or services with specified requirements.

conformity assessment procedure

A procedure to evaluate whether products with digital elements meet essential cybersecurity requirements.

Conformity assessment procedure based on internal control

A procedure that verifies compliance with established quality management systems and essential requirements.

core function of the State

Fundamental responsibilities and duties of a government to ensure the safety and welfare of its citizens.

Council

The Council of the European Union, representing member state governments and collaborating with the European Parliament to create and adopt legislation.

Council Directive 84/450/EEC

A directive that was amended by Directive 2005/29/EC, concerning misleading advertising.

Council Directive 85/374/EEC

A directive concerning liability for defective products, which remains applicable alongside the new regulation.

Council Directive 87/357/EEC

A directive that was repealed by Regulation (EU) 2023/988, concerning the safety of certain products.

Council Directives 89/686/EEC and 93/15/EEC

Directives that are amended by Regulation (EU) No 1025/2012, related to safety and compliance in various sectors.

Council Framework Decision 2002/584/JHA

This framework decision outlines criminal offenses relevant to law enforcement and establishes procedures for the European arrest warrant among Member States.

Council Framework Decision 2008/977/JHA

A framework decision concerning the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

Council of 25 November 2020

The Council of the European Union, which adopted a regulation on representative actions for consumer protection.

Council of the European Union

The Council of the European Union represents member states' governments and collaborates with the European Parliament in the legislative process.

Council Regulation (EU) No 1024/2013

A regulation that establishes the Single Supervisory Mechanism, conferring specific supervisory tasks to the European Central Bank for credit institutions.

Court of Justice of the European Union

The highest court in the EU, responsible for ensuring uniform interpretation and application of EU law.

credit score evaluation

AI systems used to assess the creditworthiness of individuals, classified as high-risk due to their impact on access to financial resources.

criteria for designation

The set of standards outlined in an annex to the regulation for classifying AI models with systemic risks.

Critical digital infrastructure

Essential services and systems that support the functioning of society, such as water, gas, heating, and electricity supply.

critical infrastructure

Essential systems and assets that are vital for the functioning of a society and economy.

critical infrastructure

Essential systems such as water, gas, heating, and electricity that are vital for the health and safety of persons and the functioning of society.

critical infrastructure

An area where high-risk AI systems are utilized, requiring registration at the national level.

Critical infrastructure

AI systems used as safety components in the management and operation of critical digital infrastructure.

critical products

Products with digital elements that are deemed essential and require a high level of assurance.

critical thinking

An essential competence for learners to analyze and evaluate information in educational contexts.

cryptographic methods

Techniques used to ensure the provenance and authenticity of content through cryptography.

cyber resilience

The ability of an AI system to withstand and recover from cyber threats.

cybersecurity

A set of measures and controls aimed at protecting AI systems from cyberattacks and ensuring their resilience against malicious activities.

cybersecurity

Cybersecurity encompasses measures and practices designed to protect systems, networks, and data from cyber threats and attacks.

cybersecurity measures

These technical measures are designed to protect high-risk AI systems from unauthorized alterations and cyber threats.

cybersecurity protection

Measures to ensure the security of AI models and their infrastructure against systemic risks.

cybersecurity scheme

A framework under which high-risk AI systems can be certified for compliance with cybersecurity requirements.

data

Large amounts of information used to train AI models through various learning methods.

data

The information used for training, testing, and validating the AI model, including its type and provenance.

Data Act

The directive that Regulation (EU) 2023/2854 amends, concerning fair access to and use of data.

Data and data governance

An article that discusses the requirements for data sets used in the development of high-risk AI systems.

data collections

Aggregated sets of data that may be used in the training of AI models, which can include both private and public databases.

data governance

The framework that ensures compliance with data requirements, including integrity and validation of data sets.

Data Governance Act

The directive that Regulation (EU) 2022/868 amends, focusing on data governance in the EU.

data management systems

Systems and procedures for managing data related to high-risk AI systems, including acquisition, collection, and analysis.

data protection and privacy

Fundamental rights that may be undermined by AI systems monitoring performance and behavior.

Data set

A collection of data used for training, testing, and validation of AI models.

data sets

Collections of high-quality and relevant data used for training, validation, and testing AI systems, essential for their effective performance.

data sheets

Documentation that details the datasets used in AI systems, aiding in information sharing and trust.

data used for training

The dataset utilized for training, testing, and validating the general-purpose AI model.

date of release

The date when the general-purpose AI model is made available for use.

Decision No 1247/2002/EC

A decision related to the processing of personal data and privacy in the context of the European Union.

Decision No 768/2008/EC

This decision establishes harmonised rules applicable across sectors, providing a common framework for product marketing and conformity assessment.

deep fake

AI-generated or manipulated content that misleadingly resembles real persons, objects, or events.

deep fakes

Content that has been artificially created or manipulated to resemble existing persons, objects, or events, potentially misleading viewers.

defence rights of suspects

Legal rights that protect individuals under investigation, particularly regarding the use of AI tools.

deployer

The deployer is any individual or entity, including public authorities, that utilizes an AI system under their authority, excluding personal non-professional activities.

deployer

An entity that deploys AI systems and is responsible for reporting serious incidents.

digital CE marking

A certification mark indicating that a product complies with EU safety, health, and environmental protection standards.

Digital Europe Programme

A funding programme by the European Union aimed at enhancing digital skills and infrastructure.

Digital Europe Programme

A programme aimed at reinforcing the EU's digital capabilities and promoting the digital transformation of the economy and society.

Digital Services Act

A regulation aimed at establishing a single market for digital services, amending Directive 2000/31/EC.

Digital Single Market

A market framework aimed at ensuring the free movement of goods, services, and capital within the European Union.

Directive (EU) 2016/2102

A directive concerning the accessibility of public sector websites and mobile applications, establishing requirements that high-risk AI systems must meet.

Directive (EU) 2016/680

This directive provides rules for the protection of personal data processed by competent authorities for law enforcement purposes, enhancing privacy and data security.

Directive (EU) 2016/797

A directive concerning the interoperability of the rail system within the EU, aimed at enhancing safety and efficiency.

Directive (EU) 2016/943

This directive addresses the protection of undisclosed know-how and business information against unlawful acquisition, use, and disclosure.

Directive (EU) 2019/1937

A directive focused on the protection of whistleblowers reporting infringements of Union law.

Directive (EU) 2019/790

A directive addressing copyright law and its implications for digital content and AI, particularly concerning text and data mining.

Directive (EU) 2019/882

This directive addresses accessibility requirements for products and services, particularly in the context of AI systems, and aims to protect individuals' vulnerabilities.

Directive (EU) 2020/1828

A directive concerning representative actions for consumer protection, amended by the Artificial Intelligence Act.

Directive (EU) 2022/2557

This directive establishes rules for the protection and resilience of critical infrastructure and network security across the EU.

Directive 2000/31/EC

This directive addresses legal aspects of information society services, particularly focusing on electronic commerce and digital services.

Directive 2001/95/EC

A directive that was repealed by Regulation (EU) 2023/988, concerning general product safety.

Directive 2002/14/EC

A directive from the European Parliament and Council that establishes a framework for informing and consulting employees in the European Community.

Directive 2002/58/EC

This directive addresses the protection of privacy and confidentiality in electronic communications, regulating data processing in this sector.

Directive 2005/29/EC

This directive prohibits unfair commercial practices that harm consumers and amends several previous directives related to business-to-consumer practices.

Directive 2006/42/EC

A directive establishing essential health and safety requirements for machinery within the EU.

Directive 2008/48/EC

A directive concerning credit agreements for consumers, which repeals Council Directive 87/102/EEC.

Directive 2009/138/EC

A directive from the European Parliament and Council concerning the business of insurance and reinsurance in the EU, known as Solvency II.

Directive 2009/22/EC

An earlier directive that was repealed by Directive (EU) 2020/1828 regarding collective consumer interests.

Directive 2009/48/EC

A directive concerning the safety of toys, adopted by the European Parliament and Council.

Directive 2013/32/EU

A directive from the European Parliament and Council that establishes common procedures for granting and withdrawing international protection in the EU.

Directive 2013/36/EU

A directive from the European Parliament and Council that establishes rules for the prudential supervision of credit institutions and investment firms in the EU, amending previous directives.

Directive 2013/53/EU

Directive of the European Parliament and of the Council on recreational craft and personal watercraft, established on 20 November 2013.

Directive 2014/17/EU

A directive of the European Parliament and Council on credit agreements for consumers relating to residential immovable property, amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010.

Directive 2014/31/EU

A directive by the European Parliament and Council on the harmonisation of laws regarding non-automatic weighing instruments.

Directive 2014/32/EU

A directive by the European Parliament and Council on the harmonisation of laws regarding measuring instruments.

Directive 2014/33/EU

Directive of the European Parliament and of the Council on the harmonisation of laws relating to lifts and safety components for lifts, established on 26 February 2014.

Directive 2014/34/EU

Directive of the European Parliament and of the Council on the harmonisation of laws relating to equipment and protective systems for potentially explosive atmospheres, established on 26 February 2014.

Directive 2014/53/EU

Directive of the European Parliament and of the Council on the harmonisation of laws relating to the market availability of radio equipment, established on 16 April 2014.

Directive 2014/68/EU

Directive of the European Parliament and of the Council on the harmonisation of laws relating to the market availability of pressure equipment, established on 15 May 2014.

Directive 2014/90/EU

A directive concerning the safety of maritime equipment, which is being amended to include provisions related to artificial intelligence systems.

Directive 98/79/EC

A directive that was repealed by Regulation (EU) 2017/746, concerning in vitro diagnostic medical devices.

Directive on improving working conditions in platform work

A directive aimed at enhancing working conditions for individuals engaged in platform work.

Directives 2014/31/EU

A directive from the European Parliament and Council aimed at ensuring the accuracy of measurements in commercial transactions.

Directives 2014/32/EU

Another directive from the European Parliament and Council focused on legal metrology to promote transparency and fairness in commercial transactions.

Directives 2014/90/EU, 2016/797, 2020/1828

A set of directives that are amended by Regulation (EU) 2024/1689.

Directives 96/9/EC and 2001/29/EC

Previous directives that were amended by Directive (EU) 2019/790, concerning copyright and related rights.

discrimination

The unjust or prejudicial treatment of different categories of people, often highlighted in the context of AI systems and their outputs.

discriminatory outcomes

Negative results that may arise from the use of AI systems, leading to unfair treatment of individuals or groups.

distributor

A natural or legal person in the supply chain, other than the provider or the importer, that makes an AI system available on the Union market.

downstream provider

A downstream provider is responsible for fulfilling obligations related to AI systems, integrating AI models regardless of their source.

drivers

Individuals whose fatigue states may be monitored to prevent accidents, not included in the emotion recognition system.

Education and vocational training

AI systems intended for use in educational settings to determine access, evaluate learning outcomes, and assess educational levels.

effective remedy

The right to seek a legal remedy or correction when one's rights are violated, which could be affected by AI system decisions.

electronic notification tool

A tool developed and managed by the Commission for notifying conformity assessment bodies.

ELI

The European Legislation Identifier, a unique identifier providing access to legal documents, including the Regulation.

ELI: http://data.europa.eu/eli/reg/2024/1689/oj

The electronic legal information reference for Regulation 2024/1689, providing access to the official text.

ELI: http://data.europa.eu/eli/reg/2024/1689/oj

The European Legislation Identifier link to the regulation document.

Emergency response AI systems

AI systems used to evaluate and classify emergency calls and dispatch emergency services, classified as high-risk due to their critical decision-making role.

emotion recognition system

An AI system that identifies or infers the emotions or intentions of individuals based on their biometric data.

energy consumption

The known or estimated energy usage of an AI model during its operation.

ENISA

The European Union Agency for Cybersecurity, responsible for improving the overall cybersecurity posture of the EU and involved in regulatory implementation.

environmental sustainability

Environmental sustainability is a key consideration in assessing the impact of AI systems, focusing on energy-efficient programming and design.

ethical principles

Guidelines for the development of AI systems that promote diversity, non-discrimination, and fairness.

Ethics Guidelines for Trustworthy AI

Guidelines established by the Union to promote ethical and trustworthy practices in the development and deployment of AI systems.

ethnic or religious minorities

Groups that may be more susceptible to exploitation by AI systems due to their social status.

ethnic or religious minorities

Groups that may be more susceptible to exploitation by AI systems, as highlighted in the text.

ETSI

The European Telecommunications Standards Institute, a permanent member of the advisory forum that may contribute to the Regulation's implementation.

EU database

A publicly accessible database managed by the European Commission for registering high-risk AI systems and their providers, ensuring compliance with relevant regulations.

EU database

A dedicated database for registering AI system testing activities, managed by competent authorities.

EU database for high-risk AI systems

A database established to maintain information on high-risk AI systems as outlined in the regulation.

EU declaration of conformity

A document certifying that a high-risk AI system complies with relevant EU regulatory requirements and cybersecurity standards.

EU declaration of conformity

This declaration certifies compliance with EU regulations for high-risk AI systems, as referred to in Article 47.

EU declaration of conformity

A document certifying that a high-risk AI system meets the necessary standards and regulations set by the European Union before being marketed.

EUR 1 500 000

The maximum administrative fine for non-compliance with the prohibition of certain AI practices as stated in Article 5.

EUR 35 000 000

The maximum administrative fine for non-compliance with the prohibition of certain AI practices.

EUR 750 000

The maximum administrative fine for non-compliance with any requirements or obligations under the regulation, excluding those in Article 5.

EuroHPC Joint Undertaking

A European initiative aimed at developing a world-class supercomputing infrastructure.

European Artificial Intelligence Board

A consultative body established to oversee and guide the implementation of AI regulations and best practices within the European Union.

European Artificial Intelligence Office

An office responsible for developing templates and guidelines to facilitate compliance for AI system deployers.

European Central Bank

The central bank for the euro, responsible for administering monetary policy within the Eurozone and overseeing financial system stability.

European Commission

The European Commission is the executive branch of the EU responsible for proposing legislation, implementing decisions, and upholding EU treaties.

European Criminal Records Information System (ECRIS)

A system designed to facilitate the exchange of criminal records information between EU Member States.

European Data Protection Board

An independent European body that ensures consistent application of data protection rules across the EU.

European Data Protection Supervisor

An independent supervisory authority ensuring compliance with data protection laws in the EU, overseeing institutions and potentially establishing AI regulatory sandboxes.

European Digital Innovation Hubs

Entities that support digital transformation and innovation in Europe by providing access to technology, expertise, and high-quality data sets.

European Economic and Social Committee

An advisory body of the European Union that will also receive reports regarding the Regulation.

European harmonised standard

A standard that, once published and assessed, grants providers the presumption of conformity with obligations.

European harmonised standards

Standards that, when complied with, grant providers a presumption of conformity regarding their obligations.

European health data space

A common data space that facilitates access to health data for training AI algorithms in a privacy-preserving manner.

European Parliament

The European Parliament is the directly elected legislative body of the EU, sharing power with the Council and involved in creating and adopting EU legislation.

European Parliament and Council

The legislative bodies of the European Union responsible for enacting directives and regulations.

European Parliament and Council Regulation

A regulation that sets horizontal cybersecurity requirements for products with digital elements, which high-risk AI systems must comply with.

European Parliament and of the Council

The legislative body of the European Union, responsible for enacting legislation and representing EU citizens.

European standardisation organisations

These organisations develop and maintain standards across various sectors in Europe, including AI, ensuring they meet stakeholder needs.

European Travel Information and Authorisation System (ETIAS)

A system established to enhance border security and manage travel authorizations for non-EU nationals.

European Union

The European Union is a political and economic union of member states primarily located in Europe, with its own institutions and laws responsible for establishing regulations and directives.

Europol

The European Union Agency for Law Enforcement Cooperation, assisting member states in combating serious international crime and terrorism.

evaluation strategies

Strategies for evaluating AI models, including criteria, metrics, and methodologies.

exit report

A document detailing the activities carried out in the AI regulatory sandbox, including results and learning outcomes, provided by the competent authority.

extreme poverty

A social condition that makes individuals more vulnerable to exploitation, mentioned in the context of AI systems.

facial recognition databases

Databases storing facial images for identification purposes, often created through the scraping of images from various sources, raising significant privacy concerns.

fair trial

The right to a legal process that is fair and impartial, which may be compromised by the use of AI systems in legal contexts.

feedback loops

Processes where the output of a system is fed back into the system as input, which can lead to biased outcomes if not managed properly.

filters categorising facial or body features

Technological features used in online marketplaces and social networks to categorize users based on their physical attributes.

fine-tuning

A process that adjusts the parameters of a pre-trained AI model to improve its performance on specific tasks.

fingerprints

Unique identifiers used to trace the origin of content generated by AI systems.

floating point operations

A measure of the cumulative amount of computation used for training general-purpose AI models, relevant for assessing their capabilities.

Free and open-source AI components

Software and data, including models, that can be shared and modified freely under specific licensing conditions.

free and open-source licence

A licensing model that allows tools, services, and components to be used freely without compliance mandates.

fundamental rights

Fundamental rights and freedoms that must be protected in the context of AI deployment, including the right to privacy.

fundamental rights

Basic human rights protected by the Charter, including privacy and non-discrimination, which are critical in the context of AI system deployment.

fundamental rights

Basic human rights that must be protected during the development and testing of AI systems.

Fundamental Rights Agency

An agency ensuring the respect of fundamental rights within the context of the Regulation and participating in the advisory forum.

fundamental rights concerns

Issues related to the protection of fundamental rights that must be addressed in the context of standardisation.

fundamental rights impact assessment

This assessment evaluates the impact of biometric identification systems on fundamental rights and identifies risks to individuals affected by high-risk AI systems.

Fundamental rights impact assessment

An assessment that deployers must perform to evaluate the impact of high-risk AI systems on fundamental rights.

fundamental rights impact assessments

Assessments conducted to evaluate the impact of AI systems on fundamental rights.

general-purpose AI model

A type of AI model designed for a wide range of applications, subject to regulatory evaluations and potential systemic risks.

general-purpose AI model

A type of AI model designed for a wide range of applications, which can be placed on the market.

general-purpose AI models

AI models capable of performing a wide range of tasks, typically trained on large datasets and designed for various applications.

general-purpose AI models

AI models designed for a wide range of applications, subject to compliance obligations and potential systemic risks.

general-purpose AI models with systemic risk

AI models that may present systemic risks and require specific obligations from their providers.

general-purpose AI system

An AI system that integrates a general-purpose AI model, capable of serving various purposes directly or as part of other systems.

General-purpose AI systems

AI systems that can be utilized as high-risk systems or components of other high-risk AI systems for various purposes.

governance framework

A framework established by the Regulation to coordinate and support its application at national and Union levels.

Hardware

The physical devices on which the AI system is intended to run.

harmonised standard

Harmonised standards are developed to ensure compliance with specific obligations for AI providers and are proposed for publication by European standardisation organisations.

harmonised standard

A standard defined in Article 2(1), point (c), of Regulation (EU) No 1025/2012.

harmonised standards

Harmonised standards ensure compliance with EU legislation and reflect the state of the art in technology and practices relevant to high-risk AI systems.

health and safety

Regulations aimed at ensuring the well-being and protection of individuals in various environments, including those affected by AI.

health sector

An industry focused on health services and products, where the reliability of AI systems is critical for diagnostics and decision support.

high impact capabilities

Capabilities of an AI model that indicate a significant potential impact, evaluated using technical tools and methodologies.

high-impact capabilities

Capabilities of AI models that match or exceed those of the most advanced general-purpose AI models, posing significant risks.

high-quality data

Data that meets adequate requirements for performance, accuracy, and robustness, essential for training AI systems effectively.

high-risk AI system

An AI system classified as high-risk due to its significant potential impact on health, safety, or fundamental rights, requiring compliance with stringent regulatory obligations and oversight.

high-risk AI system for post-remote biometric identification

An AI system classified as high-risk that is used for biometric identification from a distance, particularly in law enforcement contexts.

high-risk AI systems

High-risk AI systems are those identified as posing significant risks to health, safety, and fundamental rights, requiring stringent regulatory oversight and compliance measures.

Horizon Europe

The EU Research and Innovation programme that aims to support research and innovation across Europe.

human oversight

Measures designed to ensure that high-risk AI systems can be effectively monitored by natural persons during their use.

identity checks

Procedures conducted by authorities to verify the identity of individuals, often involving the use of information systems.

immigration authorities

Government bodies that regulate the entry, stay, and exit of foreign nationals in a country.

imminent threat to life

A condition that indicates a serious risk to the life or safety of individuals.

impact assessment

A systematic process to evaluate the potential effects of deploying a high-risk AI system, focusing on risks to fundamental rights and governance arrangements.

implementation acts

Acts that may be used by the Commission to approve codes of practice or provide common rules for implementation.

importer

A person or entity in the Union that markets an AI system under the name or trademark of a third-country entity.

Importers and distributors

Operators in the AI value chain who contribute to the development and distribution of AI systems.

in vitro diagnostic medical devices

Medical devices used for diagnostic purposes outside of the human body, which may be classified as high-risk.

inclusive and diverse design

An approach to AI system development that emphasizes the inclusion of diverse perspectives and stakeholders.

independent administrative authority

An authority that can also grant authorization for the use of biometric identification systems, with binding decisions in the Member State.

innovative AI systems

Artificial intelligence systems that are being developed and tested within the regulatory sandboxes to ensure compliance with relevant laws.

Instructions for use

Documentation that accompanies high-risk AI systems, detailing their characteristics, capabilities, limitations, and usage guidelines.

intellectual property rights

Legal rights that protect the creations of the mind, which must be observed in the context of AI systems.

interdisciplinary cooperation

Collaboration between AI developers and experts from various fields to address issues related to inequality, non-discrimination, and digital rights.

Interinstitutional Agreement of 13 April 2016

An agreement that outlines the principles for better law-making within the European Union.

Interinstitutional Agreement of 13 April 2016 on Better Law-Making

An agreement that outlines principles for better law-making within the EU, ensuring transparency and equal participation.

internal and/or external adversarial testing

Testing methods such as red teaming to identify vulnerabilities in AI models.

internal market

The internal market of the EU facilitates the free movement of goods and services among member states, impacting the deployment of AI models.

internal processes

Operations within an organization that do not involve providing products or services to third parties.

international organisations

Entities established by treaties between multiple countries that may operate internationally and use AI systems in cooperation with the Union.

international partners

Organizations and entities outside the EU that collaborate on metrology and measurement indicators related to AI.

Ireland

A member state of the European Union that is referenced in the context of data protection regulations.

judicial authority

An independent authority that grants prior authorization for the use of biometric identification systems, ensuring compliance with legal standards.

key performance indicators

Metrics used to measure the success of the implementation of the codes of practice.

large generative AI models

A subset of general-purpose AI models capable of generating diverse content such as text, audio, images, or video.

law enforcement

This modality involves the application of law by authorities to maintain public order, utilizing AI systems for enforcement and public safety.

law enforcement

Uses of AI systems for maintaining public order and safety, which are included in the scope of the Regulation.

law enforcement

Law enforcement encompasses agencies responsible for enforcing laws, maintaining public order, and preventing and investigating crimes, potentially using AI systems.

law enforcement authorities

Law enforcement authorities are government agencies responsible for maintaining public order and enforcing laws, which may utilize AI systems in their operations.

law enforcement authority

A law enforcement authority is responsible for maintaining public order and enforcing laws, requiring authorization for the use of biometric identification systems.

law-enforcement authorities

Authorities responsible for maintaining public order and safety, which may act in urgent situations regarding high-risk AI systems.

logging methods

Techniques for recording the generation and manipulation of content.

logic- and knowledge-based approaches

Approaches that allow AI systems to infer from encoded knowledge or symbolic representations.

logs

Records generated by the AI system that document verifications and operations performed by users.

M. Michel

The President of the Council of the European Union who signed the regulation.

machine learning approaches

Techniques that enable AI systems to learn from data to achieve specific objectives.

machine-brain interfaces

Technological systems that connect directly with the human brain to influence behavior through stimuli.

machinery

Products designed for mechanical work, which may be classified as high-risk under certain regulations.

mandate

A written document that specifies the tasks assigned to the authorised representative by the provider.

manipulative or exploitative AI-enabled practices

Practices involving AI systems that can lead to harmful outcomes for users.

market surveillance authorities

Authorities responsible for enforcing compliance with regulations, ensuring product safety, and monitoring high-risk AI systems in the market.

market surveillance authority

A regulatory authority within each Member State responsible for monitoring and ensuring compliance with market regulations, particularly concerning high-risk AI systems and biometric identification, to uphold safety and standards.

media literacy

A necessary skill for learners to effectively engage with digital content and participate in society.

medical devices

Products used for medical purposes that may be classified as high-risk under certain regulations.

Member State

A member state is a country within the European Union that implements national laws and regulations, including those related to biometric identification systems.

Member States

Countries that are members of the European Union, responsible for implementing EU regulations and ensuring compliance with AI-related laws.

metadata identifications

Methods for identifying the metadata associated with content to prove its authenticity.

metrology and benchmarking authorities

Organizations that focus on measurement standards and benchmarks, particularly in the context of AI systems.

microenterprises

Small businesses that may be exempt from certain regulations regarding the use of personal data.

microenterprises

Small businesses that may face challenges in fulfilling regulatory obligations due to their size and resources.

migration

An area of application for high-risk AI systems that involves the management of migration processes.

military purposes

Uses of AI systems that are specifically excluded from the scope of the Regulation.

Modalities

Different types of input and output formats for AI models, such as text-to-text or text-to-image.

modality

The types of input and output formats that an AI model can handle, such as text or image.

model and data cards

Documentation tools that provide essential information about AI models and datasets, promoting transparency and understanding.

model cards

Documentation practices that provide information about AI models to promote transparency and trustworthiness.

model evaluation

The assessment of an AI model's effectiveness and accuracy.

model evaluations

Processes required to assess the performance and risks associated with AI models.

model retraining

The process of updating an AI model with new data to improve its performance.

model testing

The evaluation of an AI model's performance using a separate dataset.

model training

The process of teaching an AI model to make predictions or decisions based on data.

mutual recognition agreements

Agreements aimed at recognizing conformity assessment results across different jurisdictions.

Mutual recognition agreements

Agreements aimed at facilitating trade and cooperation between the EU and third countries.

national authorities

National authorities that are granted access to the restricted sections of the EU database.

national competent authorities

National bodies designated to ensure compliance with AI regulations and oversee the implementation of laws within their jurisdictions.

national competent authority

The designated authority in each Member State responsible for overseeing AI system compliance and handling serious incident notifications.

national data protection authority

This authority oversees data protection laws and ensures compliance with regulations regarding personal data at the national level.

national law

National law refers to the legal framework established by individual countries that governs the use of biometric identification systems and other regulations.

national law

The body of laws and regulations that govern individual member states of the European Union.

national public authorities

Government bodies at the national level that may be involved in the oversight and regulation of AI systems.

natural person

An individual whose risk of becoming a victim or offender is assessed using AI systems.

natural persons

Individuals whose fundamental rights and freedoms are protected under the regulation and who may be affected by AI systems.

natural persons

Individuals whose rights and personal data may be affected by the deployment of high-risk AI systems.

New Legislative Framework

A framework aimed at enhancing the coherence and effectiveness of EU product legislation, ensuring compliance and safety across member states.

notification template

A standardized form that deployers must fill out to notify the market surveillance authority of their assessment results.

notified bodies

Notified bodies are organizations designated to assess the conformity of high-risk AI systems, ensuring compliance with regulatory standards through independent evaluations.

notified body

A notified body is an organization designated to assess the conformity of high-risk AI systems and issue necessary certificates.

Notifying Authorities

Organizations responsible for overseeing the notification of conformity assessment bodies and ensuring compliance with relevant regulations.

notifying authority

The authority responsible for overseeing notified bodies, ensuring compliance with regulations, and confirming the status of certificates.

obligations

Requirements that providers of general-purpose AI models must adhere to in order to ensure safety and compliance.

Official Journal of the European Union

The Official Journal of the European Union serves as the primary publication for legal acts, regulations, and harmonised standards relevant to EU legislation.

Official Journal of the European Union

The official publication of the European Union containing legal texts, regulations, and directives.

OJ L

The Official Journal of the European Union, where legal documents and regulations are published, including the regulation dated 12.7.2024.

OJ L

The Official Journal of the European Union publishes legal documents, regulations, and directives.

OJ L

The Official Journal of the European Union where regulations and legal documents are published.

OJ L

The Official Journal of the European Union publishes legal documents, including regulations.

OJ L

Official Journal of the European Union where regulations and directives are published.

OJ L

Official Journal of the European Union where the regulation is published.

OJ L 117, 5.5.2017

The official journal publication date for Regulation (EU) 2017/746.

OJ L 135, 22.5.2019

The official journal publication date for Regulation (EU) 2019/816.

OJ L 236, 19.9.2018

The official journal publication date for Regulation (EU) 2018/1241.

OJ L 60, 2.3.2013

The official journal publication date for both Regulation (EU) No 168/2013 and Regulation (EU) No 167/2013.

OJ L 80, 23.3.2002

The official journal date for Directive 2002/14/EC.

OJ L 97, 9.4.2008

The official journal publication date for Regulation (EC) No 300/2008.

OJ L, 12.7.2024

This date refers to the official journal publication of the regulation, marking its formal release and entry into effect.

OJ L, 12.7.2024

This entry in the Official Journal references the regulation regarding high-risk AI systems adopted on July 12, 2024.

OJ L, 12.7.2024

Official Journal of the European Union where the regulation is published.

online marketplaces

Platforms where products are sold, allowing consumers to preview items using filters.

online social network services

Platforms that allow users to share content online, which may include features for modifying pictures or videos.

open-source license

A type of software license that allows users to freely use, modify, and distribute the software.

open-source model

A general-purpose AI model that is released to the public with its source code available for use and modification.

operator

An entity involved in the operation of an AI system, which may include providers, manufacturers, and distributors, and can be held liable for infringements.

paragraph 1, first subparagraph, point (h)

A provision outlining objectives related to the use of biometric identification systems.

paragraph 5

A provision that allows Member States to authorize the use of biometric identification systems under certain conditions.

parameters

Quantitative measures that define the characteristics and capabilities of AI models, influencing their generality and performance. Relevant parameters of the AI system that may be assessed by the notified body. The architecture and number of parameters that define the structure and functionality of the AI model. Quantitative measures that define the characteristics of an AI model.

performance metrics

Quantifiable standards used to assess the expected performance and robustness of high-risk AI systems.

personal data

Personal data refers to any information relating to an identified or identifiable individual, which is protected under EU law and must be processed in compliance with data protection regulations.

persons living in extreme poverty

Individuals who are particularly vulnerable to exploitation by manipulative AI systems due to their socio-economic situation.

polygraphs

Tools used to evaluate the reliability of evidence in investigations or prosecutions.

post-market monitoring plan

The post-market monitoring plan is a documented strategy that providers must establish to monitor the performance of high-risk AI systems.

post-market monitoring plan

A plan that outlines the necessary elements to be included for monitoring high-risk AI systems after they have been placed on the market.

post-market monitoring system

A system that high-risk AI system providers must implement to monitor performance and risks after market release.

post-market monitoring system

Activities by AI system providers to collect and review user experience for corrective or preventive actions.

post-remote biometric identification system

A remote biometric identification system that does not operate in real-time.

post-remote biometric identification systems

AI systems used for biometric identification that operate after the event, requiring strict safeguards due to their intrusive nature.

pre-training

An activity intended to enhance the capabilities of a general-purpose AI model prior to its deployment.

presumption of innocence

The legal principle that one is considered innocent until proven guilty, which could be undermined by AI system decisions.

product manufacturer

An entity responsible for producing goods that may incorporate high-risk AI systems and ensuring regulatory compliance.

professional pilots

Individuals whose fatigue states may be monitored to prevent accidents, not included in the emotion recognition system.

Prohibited AI practices

A set of practices involving AI systems that are deemed unacceptable due to their potential to cause significant harm to individuals or groups.

prohibited systems

AI systems that are banned from being placed on the market due to regulatory violations.

Protocol No 21

A protocol concerning the position of the United Kingdom and Ireland in respect of the area of freedom, security, and justice.

Protocol No 22

Protocol No 22 addresses the position of Denmark in relation to EU law, particularly concerning judicial cooperation.

provider

The entity responsible for the development, deployment, and oversight of high-risk AI systems, including risk identification and mitigation measures.

provider

An entity, either natural or legal, responsible for developing, placing, and ensuring compliance of high-risk AI systems in the market.

providers

Entities that enter data into the EU database and may include individuals or organizations.

public assistance benefits

Essential benefits and services provided by public authorities, including healthcare, social security, and housing assistance.

public authorities

Government entities that may deploy high-risk AI systems and are responsible for implementing regulations at national or regional levels.

public interest

The societal concern that justifies the disclosure of AI-generated content to inform the public.

public security

The use of AI systems to ensure the safety and security of the public.

publicly accessible space

A physical space accessible to an undetermined number of natural persons, regardless of ownership or activity type.

publicly accessible space

Any physical location that is accessible to an undetermined number of individuals, regardless of access conditions.

quality data

Data used to train the AI system, which must meet certain quality standards for compliance.

quality management system

A structured system ensuring the quality of AI products and services, particularly in compliance with regulatory standards.

quality management system

A system ensuring quality in processes and products, which microenterprises are encouraged to establish in a simplified manner, particularly for high-risk AI systems.

quality management system

A system implemented by the provider to ensure that AI systems are adequately managed and maintained.

quality management system

A structured system that ensures the quality of processes and products, which the provider must comply with.

quality management system approvals

Approvals granted to organizations indicating that their quality management systems comply with specified standards.

R. Metsola

The President of the European Parliament who signed the regulation.

Real-time Biometric Identification System

An AI system used for the real-time identification of individuals based on biometric data.

real-time biometric identification systems

Systems that use biometric data for identification in real-time, requiring authorization for their use.

real-time remote biometric identification system

This AI system identifies individuals in real-time using biometric data in publicly accessible spaces, primarily for law enforcement applications.

real-time remote biometric identification systems

These AI systems are used for the real-time identification of individuals through biometric data, particularly in public spaces for law enforcement purposes.

real-time systems

AI systems that capture, compare, and identify biometric data instantaneously or with minimal delay.

real-world testing plan

A detailed document outlining the objectives and methodologies for testing high-risk AI systems in real-world conditions.

Recommendation 2003/361/EC

A recommendation defining micro- and small enterprises, providing guidelines for their compliance with quality management systems.

reference database of persons

A database that contains information about individuals, which should be appropriate for each use case of biometric identification.

reg/2024/1689/oj

A specific regulation referenced in the European legal framework.

Registered business users

Businesses that have registered to use the AI models, with a threshold of at least 10,000 users for presumed high impact.

Registered end-users

Individuals who have registered to use the AI models.

Regulation

This comprehensive legal framework governs the use of AI systems within the EU, ensuring safety, fundamental rights, and non-discriminatory practices while addressing high-risk applications, market surveillance, and compliance obligations for providers and deployers.

Regulation (EC) No 2006/2004

This regulation, amended by Directive 2005/29/EC, addresses consumer protection cooperation and concerns unfair commercial practices.

Regulation (EC) No 300/2008

This regulation outlines rules and procedures related to security equipment and artificial intelligence systems in the context of civil aviation security.

Regulation (EC) No 45/2001

A regulation concerning the protection of individuals with regard to the processing of personal data by Community institutions and bodies.

Regulation (EC) No 765/2008

This regulation sets out the requirements for accreditation and market surveillance related to product marketing, ensuring compliance with EU standards.

Regulation (EC) No 810/2009

A regulation established by the European Parliament outlining procedural requirements for migration, asylum, and border control management within the EU.

Regulation (EU) 2016/679

Also known as the General Data Protection Regulation (GDPR), this regulation governs the processing of personal data and privacy rights within the European Union.

Regulation (EU) 2016/680

A regulation governing the processing of personal data for law enforcement purposes in the EU, particularly focusing on biometric data protection.

Regulation (EU) 2017/745

A regulation that establishes safety and performance requirements for medical devices, including those incorporating high-risk AI systems.

Regulation (EU) 2017/746

A regulation ensuring compliance with safety and performance requirements for in vitro diagnostic medical devices, relevant to high-risk AI systems.

Regulation (EU) 2018/1139

A regulation that is amended to include provisions regarding Artificial Intelligence systems as safety components.

Regulation (EU) 2018/1241

A regulation amending Regulation (EU) 2016/794 to establish the European Travel Information and Authorisation System (ETIAS).

Regulation (EU) 2018/1725

This regulation governs the protection of personal data processed by EU institutions and bodies, ensuring compliance with data protection standards.

Regulation (EU) 2018/1860

A regulation concerning the use of the Schengen Information System for the return of illegally staying third-country nationals.

Regulation (EU) 2018/858

A regulation regarding the approval and market surveillance of motor vehicles and their trailers.

Regulation (EU) 2019/1020

This regulation outlines the framework for market surveillance and compliance of products, including AI systems, within the EU, ensuring enforcement and oversight.

Regulation (EU) 2019/2144

A regulation addressing mandatory requirements for high-risk AI systems as safety components.

Regulation (EU) 2019/816

A regulation establishing a centralised system for identifying Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN).

Regulation (EU) 2019/817

A regulation on establishing a framework for interoperability between EU information systems in the field of borders and visa.

Regulation (EU) 2019/881

A regulation aimed at enhancing cybersecurity across the EU, establishing requirements for high-risk AI systems and cybersecurity certification.

Regulation (EU) 2022/2065

This regulation, established by the European Parliament and Council, outlines the liability and obligations of providers of intermediary services, particularly regarding AI systems, and amends Directive 2000/31/EC to enhance compliance and detection of illegal content.

Regulation (EU) 2022/868

A regulation by the European Parliament and Council concerning the protection of personal data and amending Regulation (EU) 2018/1724.

Regulation (EU) 2023/2854

A regulation by the European Parliament and Council addressing the transfer of personal data under Union law and harmonizing rules on data access and use.

Regulation (EU) 2023/988

A regulation aimed at ensuring the safety of AI systems not classified as high-risk, serving as a safety net and amending previous regulations.

Regulation (EU) 2024/1689

A regulation establishing harmonized rules for high-risk AI systems, outlining compliance obligations, cooperation requirements, and confidentiality for national authorities.

Regulation (EU) 2024/900

A regulation by the European Parliament and Council aimed at ensuring transparency and addressing risks of undue external interference in political advertising and voting rights.

Regulation (EU) No 1024/2013

A regulation that establishes the Single Supervisory Mechanism for financial institutions in the EU and mandates reporting to the European Central Bank.

Regulation (EU) No 1025/2012

This regulation outlines the framework for European standardisation, defining harmonised standards and ensuring stakeholder involvement for compliance with various regulations.

Regulation (EU) No 167/2013

This regulation concerns the safety of certain components in the aviation sector and the approval and market surveillance of agricultural and forestry vehicles.

Regulation (EU) No 168/2013

A regulation concerning the approval and market surveillance of agricultural, forestry vehicles, and two- or three-wheel vehicles, including quadricycles.

Regulation (EU) No 182/2011

A regulation outlining procedures for the exercise of implementing powers conferred on the European Commission.

Regulation (EU) No 526/2013

The previous regulation that was repealed by Regulation (EU) 2019/881, known as the Cybersecurity Act.

Regulation (EU) No 575/2013

A regulation on prudential requirements for credit institutions and investment firms, amending Regulation (EU) No 648/2012.

Regulation 2024/1689

This regulation establishes a framework for the classification, management, and compliance of high-risk AI systems, including transparency and documentation requirements.

Regulation on the ‘real-time’ use of AI systems

A regulation that lays down rules for the real-time use of AI systems, emphasizing the need for immediate processing without significant delays.

Regulations (EU) 2016/679

This regulation safeguards the fundamental right to personal data protection within the EU, outlining principles for data processing.

Regulations (EU) 2018/1725

A regulation concerning the protection of personal data in the context of EU institutions and bodies.

reinforcement learning

A method of training AI models where they learn to make decisions by receiving rewards or penalties.

remote biometric identification

A method of identifying individuals in real-time using biometric data in publicly accessible spaces.

remote biometric identification system

An AI system designed for the identification of individuals at a distance without their active involvement, using biometric data.

Remote biometric identification systems

AI systems used for identifying individuals based on biometric data, classified as high-risk due to potential discriminatory effects.

right not to be discriminated against

A fundamental right that may be violated by AI systems that perpetuate historical patterns of discrimination.

right to education and training

A fundamental right that may be violated by improperly designed AI systems.

rightsholders

Individuals or entities that hold the rights to works and have the authority to grant or deny permissions for their use.

risk analytics

Analytical processes used to assess the likelihood of certain events, such as financial fraud or the localization of illicit goods.

risk assessment

A process to evaluate the potential risks associated with a serious incident involving an AI system.

risk management system

A systematic process for identifying, evaluating, and managing risks associated with high-risk AI systems throughout their lifecycle.

risk taxonomy

A classification system for identifying and categorizing systemic risks associated with AI at the Union level.

risk-management policies

Policies aimed at identifying and mitigating risks associated with AI models.

risk-management system

A systematic approach for identifying, assessing, and mitigating risks associated with high-risk AI systems throughout their lifecycle to ensure compliance and effectiveness.

robustness

Robustness refers to the ability of an AI system to perform reliably under a variety of conditions and to withstand errors or unexpected inputs.

safeguards

Measures that ensure the rights and freedoms of third parties are maintained when using AI-generated content.

safeguards

Measures implemented to protect the fundamental rights and freedoms of natural persons when processing personal data.

safety components

Systems used to protect the physical integrity of critical infrastructure and the health and safety of persons and property.

sandbox

A controlled environment where data can be processed under specific conditions to test AI systems while ensuring data protection.

sandbox plan

A document that describes the objectives and conditions for activities within an AI regulatory sandbox.

Schengen Information System

A large-scale IT system used for the management of information related to border control and security within the Schengen Area.

scientific panel

The scientific panel is a group of independent experts that provides insights, alerts, and support for the enforcement of AI regulations, particularly regarding systemic risks associated with general-purpose AI models.

scientific research and development

Activities focused on the advancement of knowledge and technology, which may involve AI systems and models.

Section 2

A section of the regulation detailing specific requirements for conformity and high-risk AI systems.

Section 2

A section within the regulation that outlines specific requirements for AI systems and data.

Section 3

A section that outlines the obligations of the provider and deployer of high-risk AI systems.

Section A of Annex I

Section A of Annex I lists the Union harmonisation legislation relevant to high-risk AI systems.

Section A of Annex I

A section that lists Union harmonisation legislation applicable to high-risk AI systems.

sectoral group of notified bodies

A group formed to ensure coordination and cooperation among notified bodies.

self-supervised learning

A method of training AI models where the model learns from the data without explicit labels.

self-supervision

A training method used in AI models that allows them to learn from large amounts of data without explicit supervision.

sensitive operational data

Operational data related to criminal activities that, if disclosed, could compromise ongoing investigations.

serious incident

An event involving an AI system that results in significant consequences or risks, necessitating immediate reporting.

serious incident

An incident or malfunctioning of an AI system that leads to significant harm or disruption.

significant harm

The potential negative impact that AI systems can have on individuals or groups, which may occur even without intent.

small and microenterprises

Small and micro-sized businesses that may have different documentation requirements under the regulations.

SMEs

Small and medium-sized enterprises (SMEs) are vital to the economy and innovation, benefiting from simplified compliance requirements and targeted support under Union law, while being encouraged to participate in AI regulatory sandboxes.

SMEs

Small and Medium-sized Enterprises (SMEs) are businesses with personnel below certain limits, playing a crucial role in the economy and innovation, and are prioritized for access to AI regulatory sandboxes and compliance considerations.

social behaviour

Data related to the actions and interactions of individuals within a society, used for evaluation by AI systems.

social score

A metric derived from the evaluation of individuals' social behavior, which can lead to favorable or unfavorable treatment.

social scoring

A practice where individuals are scored based on their behavior or characteristics, potentially leading to discriminatory outcomes.

Software Packages

Different forms in which the AI system is made available, including embedded software and downloadable packages.

specific high-risk AI systems

Particular AI systems identified as high-risk that may be authorized for market placement under exceptional circumstances.

stakeholders

Stakeholders include various entities such as industry, academia, civil society, and standardization organizations involved in the development and design of AI practices.

standardisation development processes

Processes aimed at creating standards for AI systems, in which SMEs and other stakeholders should participate.

start-ups

Newly established businesses classified as SMEs that are involved in the development and deployment of AI systems, considered in compliance and standardization contexts.

subject

A natural person who participates in testing in real-world conditions.

substantial modification

A change to an AI system after its market placement that affects compliance with initial assessment requirements.

synthetic content

Content generated by AI systems that can be difficult to distinguish from human-generated content.

synthetic data generation

A method used to enhance the capabilities of AI models by creating artificial data for training purposes.

system architecture

The structure of software components and their interactions within an AI system.

systemic risk

A risk associated with high-impact capabilities of AI models that can significantly affect the Union market and public welfare.

systemic risks

Systemic risks associated with AI arise from the capabilities of general-purpose AI models, potentially leading to widespread negative impacts at the Union level.

systemic risks

Risks that arise from the use of AI models that can have widespread implications for society.

technical documentation

Comprehensive documentation detailing the characteristics, capabilities, limitations, and compliance of AI systems, essential for regulatory assessment.

technical limitations

Measures that restrict the re-use of personal data to ensure compliance with privacy and security standards.

technical redundancy solutions

Strategies implemented to ensure the robustness of high-risk AI systems, including backup or fail-safe plans.

technical solutions

Solutions that providers of AI systems must ensure are effective, interoperable, robust, and reliable.

testing and experimentation facilities

Facilities established by the Commission and Member States to support the testing and experimentation of new technologies in compliance with regulations.

testing data sets

Testing data sets assess the accuracy and reliability of AI models before deployment and may be accessed for evaluation.

testing in real-world conditions

The temporary testing of an AI system in real-world conditions to gather reliable data and assess conformity with regulatory requirements.

TEU

The Treaty on European Union (TEU) establishes the constitutional framework and principles guiding the European Union.

text and data mining

Techniques used for the retrieval and analysis of content, which may involve copyright protected material.

TFEU

The Treaty on the Functioning of the European Union (TFEU) outlines the operational framework and institutional functions of the EU.

TFEU

The Treaty on the Functioning of the European Union (TFEU) outlines the functioning of the European Union and its institutions.

The 'Blue Guide' on the implementation of EU product rules 2022

A Commission notice providing guidance on the implementation of EU product rules and clarifying the application of Union harmonization legislation.

third country

A country that is not a member of the European Union.

third party

An external entity that supplies AI systems, tools, services, components, or processes used in high-risk AI systems.

third-party conformity assessment body

An independent organization that evaluates products to ensure they meet regulatory standards.

threshold of floating point operations

A set limit that, if met by a general-purpose AI model, indicates potential systemic risks associated with that model.

toys

Products intended for play, which may be classified as high-risk under certain regulations.

trade secrets

Information that is not generally known or reasonably ascertainable, which must be protected under the law.

training data

Data used for training an AI system by fitting its learnable parameters.

training data set

The collection of data used to train the AI model, which is a criterion for assessing systemic risks.

training data sets

Training data sets for AI models must meet specific quality criteria and governance practices, and may be accessed for conformity assessment.

training data sources

Data collections or sets used to train AI models, which must be disclosed by providers under Union law.

training, validation and testing data sets

Data sets used for training, validating, and testing AI models to ensure they meet quality criteria.

transparency

The quality of being clear and open about how AI systems operate, which is crucial for accountability and public trust.

transparency obligation

A requirement for AI system providers to disclose when content has been artificially created or manipulated.

transparency requirements

Requirements that mandate high-risk AI systems to provide clear and understandable information to users and deployers.

Treaties

Legal agreements that form the basis of the European Union's legal framework.

Treaty on European Union (TEU)

A foundational treaty of the European Union that outlines its values and principles.

UN Convention relating to the Status of Refugees

An international treaty that defines the rights of refugees and the responsibilities of nations to protect them.

UNCRC General Comment No 25 (2021)

A document addressing children's rights in relation to the digital environment, emphasizing the protection of minors.

Union

Refers to the European Union, the governing body responsible for establishing regulations and standards for AI systems across member states.

Union AI testing support structures

Designated entities by the Commission to perform tasks related to AI testing and provide technical or scientific advice.

Union and national law

Legal frameworks that govern the lawful evaluation practices of natural persons.

Union and National Liability Law

Legal framework under which providers or prospective providers are liable for damages caused during testing in real-world conditions.

Union anti-money laundering law

Legislation aimed at preventing money laundering activities within the European Union.

Union data protection law

Legislation that outlines principles for data minimization and protection by design and by default.

Union ethical guidelines for trustworthy AI

A set of principles established by the Union to ensure that AI systems are developed and used in a trustworthy manner.

Union financial services law

A set of regulations governing financial institutions within the EU, focusing on internal governance, risk management, and quality management requirements.

Union harmonisation legislation

Legislation designed to facilitate the free movement of products within the EU while ensuring consistent safety and compliance standards.

Union harmonisation legislation

A body of legislation aimed at harmonising laws across the EU to ensure safety and health standards.

Union harmonised legislation

Legislation that sets out requirements applicable to various sectors, including those related to AI systems.

Union institution, body, office or agency

Various entities within the European Union that are subject to regulations and oversight by the European Data Protection Supervisor.

Union institutions

Various bodies, offices, and agencies within the European Union that support law enforcement authorities.

Union institutions, agencies and bodies

Entities within the EU that are subject to specific regulations and oversight.

Union institutions, bodies, offices or agencies

Entities within the European Union that support governance, law enforcement, and may utilize high-risk AI systems.

Union law

Union law encompasses the body of laws and regulations governing the European Union, including those related to data protection and consumer rights.

Union law

A comprehensive body of laws within the European Union that governs various areas including data protection, non-discrimination, and the use of AI systems, ensuring compatibility across member states.

Union law on the protection of personal data

A legal framework established by the European Union to protect personal data and privacy.

Union market

The economic area within the European Union where AI systems, particularly high-risk models, are regulated, monitored, and made available for use.

Union or national law

These legal frameworks govern the processing of personal data and may exempt certain high-risk AI systems from verification requirements, with potential fines for infringements.

Union safeguard procedure

A procedure that outlines the steps to be taken when objections are raised regarding measures taken by market surveillance authorities.

Union technical documentation assessment certificate

A certificate issued by a notified body indicating that an AI system conforms to required standards and assesses its technical documentation.

Union technical documentation assessment certificates

Certificates issued by the Union to confirm that technical documentation related to AI systems meets required standards.

Union values

Principles that uphold respect for human dignity, freedom, equality, democracy, and fundamental rights, including non-discrimination and data protection.

Union-wide unique single identification number

A unique identifier assigned to each testing scenario in accordance with regulatory requirements, ensuring traceability and accountability.

Union’s Ethics Guidelines for Trustworthy AI

Guidelines aimed at ensuring ethical standards in the development and deployment of AI systems.

United Nations Convention on the Rights of Persons with Disabilities

An international treaty aimed at protecting the rights and dignity of persons with disabilities.

unsupervised learning

A method of training AI models that involves learning patterns from unlabelled data.

urgent situations

Situations where immediate action is required, allowing exceptions to the usual authorization process for biometric identification.

User Interface

The interface provided to the deployer for interacting with the AI system.

users

Individuals or entities that deploy or interact with AI systems, who must be aware of the risks and instructions for use.

validation and testing procedures

Procedures used to validate and test the performance and compliance of AI systems.

validation data

Data used for evaluating an AI system.

validation data sets

Validation data sets ensure AI models function correctly and meet intended purposes, and may be accessed for performance validation.

very large online platforms

Very large online platforms, with significant user bases, are subject to specific regulatory obligations to identify and mitigate systemic risks associated with AI-generated content.

very large online platforms

AI systems that operate on a large scale, particularly in the context of online services, and are subject to specific obligations under the regulation.

very large online search engines

Very large online search engines must comply with regulations concerning AI systems and manage risks from AI-generated or manipulated content.

very large online search engines

AI systems that provide search functionalities on a large scale and are required to identify and mitigate systemic risks associated with artificially generated content.

video footage

Visual material captured by cameras, used in real-time or post systems for AI processing.

virtual reality

An immersive technology that can present stimuli to users, potentially distorting their behavior.

vulnerable groups

Specific populations at risk of discrimination or bias, including those affected by age or disability, requiring additional safeguards in AI interactions.

vulnerable persons

Individuals or groups who may be negatively impacted by AI systems, including those with disabilities and issues related to gender equality.

vulnerable position

A state in which individuals or groups are at a disadvantage compared to the deployer of an AI system, often due to various socio-economic factors.

watermarks

Techniques used to mark content in a machine-readable format to indicate its origin.

widespread infringement

Acts or omissions contrary to Union law that harm the collective interests of individuals.

workers’ rights

Rights that may be impacted by AI systems used in employment and management.

World Trade Organization Agreement on Technical Barriers to Trade

An agreement aimed at facilitating international trade by reducing technical barriers.